Ldapsearch for DSfW

  • 7003070
  • 21-Apr-2009
  • 02-Jun-2016


Novell Open Enterprise Server 11.1 (OES 11SP1)
Novell Open Enterprise Server 2 SP3 (OES 2SP3)
Domain Services for Windows


How to do ldapsearches with DSfW and a list of searches to perform for troubleshooting.

A list of helpful ldapsearches for troubleshooting.


Before doing an ldapsearch on a DSfW server always export the ldap.conf file for the external method or export the SASL_PATH for the GSS-SPNEGO method and the GSSAPI method.  Otherwise you will need to do authenticated binds using the -x switch for simple binds, and depending if require tls is check export a *.der certificate file to do secure ldap searches using the  /opt/novell/eDirectory/bin/ldapsearch instead of the /usr/bin/ldapsearch.  The command 'which ldapsearch' will return the full path of the ldapsearch to be executed in the shell if only the ldapsearch command is used.

Export the LDAP Conf file for external method to path:

  • export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
  • An external method will start with ldapsearch -Y EXTERNAL
Export SASL_PATH for GSS-SPNEGO method to path:
  • kinit administrator@<your_domain.com>   e.g. kinit administrator@novell.com
  • export SASL_PATH=/opt/novell/xad/lib{64}/sasl2
  • Using the  GSS-SPNEGO method will use ldapsearch -Y GSS-SPNEGO
  • Using the GSSAPI method will be ldapsearch -Y GSSAPI
Domain subtree search dn:
  • ldapsearch -Y EXTERNAL -b "" -s sub dn
  • ldapsearch -Y GSS-SPNEGO -b "" -s sub dn
  • ldapsearch -Y GSSAPI -b "" -s sub dn

View domain name
  • ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub objectClass=DomainDNS dn distinguishedName
Verify Administrator has been provisioned: 
  •  ldapsearch -Y EXTERNAL -LLL -Q -b cn=Administrator,cn=users,dc=mydomain,dc=com sAMAccountName
    • If sAMAccountNAME is not populated the user has not been provisioned.  Modify the user to kick off the provisioning process or use the domaincntrl --samify command
Return all users with out sAMAccountName
  • ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(&(objectclass=user)(!(sAMAccountName=*)))' dn
Return all users with sAMAccountName
  • ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(&(objectclass=user)(sAMAccountName=*))' dn
Verify a user has a supplementalcredentials set so that  the user can authenticate to DSfW
  • ldapsearch -Y EXTERNAL -LLL -Q -b cn=user1,dc=dsfw,dc=novell,dc=com -s base supplementalcredentials
    • If the attribute returned is empty then a password needs to be set.  Verify there is a password policy assigned to the domain or the user with iManager.  Then change the password from iManager using the set universal password task.
Return all users without supplementalcredentials
  • ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(&(objectclass=user)(!(supplementalcredentials=*)))' dn

Verify the krbtgt principal has keys set:

  • ldapsearch -Y EXTERNAL -LLL -Q -b cn=krbtgt,cn=users,dc=dsfw,dc=novell,dc=com -s base unicodepwd supplementalcredentials
    • If the attributes are returned empty then a password needs to be set with the following command:    setpassword -DNOSf -r -u krbtgt
Show objects with out the uniqueid attribute that is applied with oes2sp3 installs of DSfW
  • DEFAULTNAMINGCONTEXT=`/usr/bin/ldapsearch -x -b "" -s base defaultnamingcontext | grep -i 'defaultnamingcontext: ' | awk '{print $2}'`
  • /usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "$DEFAULTNAMINGCONTEXT" -s sub '(&(!(uniqueDomainID=*))(!(|(cn:dn:=Builtin)(cn:dn:=Configuration)(cn:dn:=ForeignSecurityPrincipals))))' dn
    • If objects in the domain are returned use the domaincntrl --samify command to add the attribute.  If domaincntrl --samify does not work and the server was upgraded, most likely the upgrade did not complete.  Check the /var/lop/novell/xad/log/ndsdcinit.log for errors.
Show the domainpartitionlist attribute that is added in oes2sp3
  • ldapsearch -Y EXTERNAL -LLL -Q -b "cn=partitions,cn=configuration,dc=dsfw,dc=novell,dc=com" -s one "(domainpartitionlist=*)" 
Show the crossRefReference attribute that is added in oes2sp3 
  • ldapsearch -Y EXTERNAL -LLL -Q -b "dc=dsfw,dc=novell,dc=com""(crossRefReference=*)" crossRefReference
Display password policies
  • ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(objectclass=nspmpasswordpolicy)' dn: nspmpasswordpolicy
Verify Password policy assignment by searching for nspmPasswordPolicyDN attribute
  • ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(nspmPasswordPolicyDN=*)' dn:  nspmPasswordPolicyDN
Display containers with a GPO linked
  • ldapsearch -Y EXTERNAL -Q -LLL -b "" -s sub '(&(gplink=*))' gplink
Display users with users that will not expire
  • ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(&(objectclass=user)(nspmDoNotExpirePassword=*))' dn:
Show LDAP mappings on the ldap group object
  • ldapsearch -Y EXTERNAL -b "" '(&(objectclass=ldapgroup))' ldapAttributeList
  • ldapsearch -Y EXTERNAL -b "" '(&(objectclass=ldapgroup))' ldapClassList
Display attributes that are members of the partial attribute set
  •  ldapsearch -Y EXTERNAL -LLL -Q -b "" "(&(objectClass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" dn
Return netlogon information
  • ldapsearch -H cldap://localhost:389 "(&(DnsDomain=dsfw.novell.com)(Host=dsfw_server.dsfw.novell.com)(NtVer=\006))" -b "" -s base  netlogon 2>&1 | grep netlogon
    • Replace dsfw_server with the DSfW server name and dsfw.novell.com with the name of the domain to search on
Find out the value for the next rid
  • ldapsearch -Y EXTERNAL -LLL -Q -s base -b "cn=rid set,cn=dsfw_server,ou=domain controllers,dc=dsfw,dc=novell,dc=com" rIDNextRID dn -LLL -Q
    • Replace cn=dsfw_server with the DSfW server name that is the rid master and dc=dsfw,dc=novell,dc=com with the name of the domain to search on.
Troubleshoot SPNEGO/GSSAPI LDAP bind failure:
  • Start ndstrace with TIME, TAGS, VCLN, ABUF, SRCH, LDAP, AREQ, RECM (some times +TIME +TAGS, and +DBG will suffice.  See KB 7009602 for more info on how to do the ndstrace)
  •  While taking the ndstrace run the following kinit and ldapsearch commands:
  •  kinit Administrator
  •  ldapsearch -Y GSSAPI -b cn=Administrator,cn=users,dc=mydomain,dc=com -s base "objectclass=*"
  •  Look at the /var/opt/novell/eDirectory/ndsd/log/ndstrace.log for errors