91 lines
3.2 KiB
Markdown
91 lines
3.2 KiB
Markdown
|
# ldaptool
|
||
|
|
|
||
|
|
CLI tool to query LDAP/AD servers
|
||
|
|
|
||
|
|
* Configuration file to configure "realms"
|
||
|
|
* DNS domain (mapping to ldap search base as DC labels)
|
||
|
|
* LDAP servers in that domain
|
||
|
|
* Bind account
|
||
|
|
* Integration with password managers
|
||
|
|
* Various output formats
|
||
|
|
* Classic LDIF
|
||
|
|
* JSON stream (with detailed or simplified attribute values)
|
||
|
|
* CSV
|
||
|
|
* Markdown table with stretched columns (for viewing in CLI/for monospaces fonts)
|
||
|
|
* Decodes certain well-known attributes (UUIDs, Timestamps, SID, userAccountControl)
|
||
|
|
* Requires server to support [RFC 2696: Simple Paged Results](https://www.rfc-editor.org/rfc/rfc2696) for proper pagination
|
||
|
|
* By default the first 1000 entries are shown, and it errors if there are more results
|
||
|
|
* Use `-all` to show all results
|
||
|
|
|
||
|
|
## Authentication, Protocol, Ports
|
||
|
|
|
||
|
|
`ldaptool` always uses TLS for password based authentication, and SASL GSS-API over non-TLS for Kerberos ones.
|
||
|
|
|
||
|
|
## Config file
|
||
|
|
|
||
|
|
Location: `~/.config/ldaptool.yaml`
|
||
|
|
|
||
|
|
### Realms
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
realms:
|
||
|
|
EXAMPLE:
|
||
|
|
domain: "example.com"
|
||
|
|
servers: server1 server2
|
||
|
|
account: "bind@example.com"
|
||
|
|
password_folder: mainaccounts
|
||
|
|
EXAMPLE.admin:
|
||
|
|
domain: "example.com"
|
||
|
|
servers: server1 server2
|
||
|
|
account: "CN=admin,OU=Admins,DC=example,DC=com"
|
||
|
|
password_folder: adminaccounts
|
||
|
|
EXAMPLE.admin2:
|
||
|
|
domain: "example.com"
|
||
|
|
servers: server1 server2
|
||
|
|
account: "CN=admin,OU=Admins,DC=example,DC=com"
|
||
|
|
password_file: localadmin2
|
||
|
|
password_folder: adminaccounts
|
||
|
|
SUB:
|
||
|
|
domain: "sub.example.com"
|
||
|
|
servers: subserver1 subserver2
|
||
|
|
forest_root_domain: "example.com"
|
||
|
|
```
|
||
|
|
|
||
|
|
The `servers` field is a whitespace separates list of hostnames in the domain.
|
||
|
|
|
||
|
|
If a password manager is used, the `password_file` (defaults to names derived from `account`) and `password_folder` fields determine the name of the file ("secret") queried from the password manager. Here the following file names would be used:
|
||
|
|
* `EXAMPLE`: `mainaccounts/bind`
|
||
|
|
* `EXAMPLE.admin`: `adminaccounts/example.com/Admins/admin`
|
||
|
|
* `EXAMPLE.admin2`: `adminaccounts/localadmin2`
|
||
|
|
|
||
|
|
If the `account` field isn't present `ldaptool` always uses kerberos; if `--krb` is used, `account` is ignored.
|
||
|
|
|
||
|
|
Windows AD has a concept of a "global catalog" across all domains in a AD Forest; it uses separate ports (3268 without TLS and 3269 with TLS).
|
||
|
|
The `forest_root_domain` field can be used to set a search base for global catalog (`--gc`) queries (usually the forest root should be parent domain).
|
||
|
|
|
||
|
|
Unless specified with `--base` the search base is derived from `domain` (or `forest_root_domain` with `--gc`) as `DC=...` for each DNS label.
|
||
|
|
|
||
|
|
#### Script as password manager
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
password-script: keyring local decrypt
|
||
|
|
```
|
||
|
|
|
||
|
|
This configures a script as password manager.
|
||
|
|
|
||
|
|
Either takes a string (split by [`shlex.split`](https://docs.python.org/3/library/shlex.html#shlex.split)) or a list of strings.
|
||
|
|
The password name is appended as last argument.
|
||
|
|
|
||
|
|
#### keyringer
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
keyringer:
|
||
|
|
keyring: yourkeyringname
|
||
|
|
folder: ldapquery
|
||
|
|
```
|
||
|
|
|
||
|
|
This configures [`keyringer`](https://0xacab.org/rhatto/keyringer) (based on GPG) as password manager.
|
||
|
|
|
||
|
|
`keyringer` need a "keyring" to search in, and you can (optionally) specify a folder to be
|
||
|
|
prefixed to the password names created from the realm.
|