CLI ldapsearch tool with json and table output
Go to file
Stefan Bühler 474ee9383f ldaptool-0.2
-----BEGIN PGP SIGNATURE-----
 
 iQJYBAABCgBCFiEEcdms641aWv8vJSXMIcx4mUG+20gFAmRL5FokHHN0ZWZhbi5i
 dWVobGVyQHRpay51bmktc3R1dHRnYXJ0LmRlAAoJECHMeJlBvttI0uwP/1q6+LvU
 4Mepd6+0OdKYMe51x3G8HqsWG61CPJoeTEAgSq4MNc6krTFTmIkDxMWX5CoCzPbw
 4x4HnSDXAp9CL0FsqlLI9iTMCTt3LnR5GdIc5VZg9rvc/IwS04pnzT8tplVZ7ohN
 /0Evl9/LXreo4AEzm6V2AC1MEyrSeMrgM4TAmwH5aHpuniaz+SDjOrD5mpt305LE
 CdzLcpymT04vsLjI8l+AWxGXdKZy+JmAMEn4Ez+PJd5dZRfszaJxQ/2ybAnJTMJc
 1VaLtAd13gmzBvzEKt1mhCbS84nmG3H7ZV6OSFVnEitIw8h9xpSV0oP6/BrU5tpW
 wy05xUObeLABJLu4W+FEb1ilZDkaJ0utt0X1WdmDjFisl1TXZa9Zg5nSLVMdnrWn
 ENG2xPVvJzIV6wIc0o3xix0Krs67he3ANAZXhse46/z5ldQU9qMc8YaBuUm82Aci
 RMYOM74SxlJYGvNNUAFReR4x+ONwhIyWeT58tDsamgjlZZSjULlDXElgE2Si2429
 dVe2l7zrbGbgjW81QTg+Yv1CI99jvPTAmwbj+pgpHM531MUFfzsBW+KdTgO98rYC
 Rnw7ET09ehhHMfKJgiWxMYRbjIKdYOEtfMg15H7x8wUBypEd0n7hK16nVo9IMl4q
 okSJSj6Jrl8qZcXRWV1HkeSy0nr9P+iI1Ivr
 =fz/A
 -----END PGP SIGNATURE-----

Merge tag 'ldaptool-0.2' into debian

ldaptool-0.2
2023-04-28 17:21:18 +02:00
debian debian packaging 2023-04-28 14:41:50 +02:00
src/ldaptool enable tls unless kerberos is used (SASL GSS-API doesn't seem to work over TLS) 2023-04-28 17:20:46 +02:00
.gitignore Initial 2023-04-28 14:14:03 +02:00
.pycodestyle Initial 2023-04-28 14:14:03 +02:00
fmt.sh Initial 2023-04-28 14:14:03 +02:00
LICENSE Initial 2023-04-28 14:14:03 +02:00
lints.sh Initial 2023-04-28 14:14:03 +02:00
pyproject.toml KeePass support 2023-04-28 14:37:24 +02:00
README.md README.md: fix typo 2023-04-28 16:04:18 +02:00

ldaptool

CLI tool to query LDAP/AD servers

  • Configuration file to configure "realms"
    • DNS domain (mapping to ldap search base as DC labels)
    • LDAP servers in that domain
    • Bind account
    • Integration with password managers
  • Various output formats
    • Classic LDIF
    • JSON stream (with detailed or simplified attribute values)
    • CSV
    • Markdown table with stretched columns (for viewing in CLI/for monospaces fonts)
  • Decodes certain well-known attributes (UUIDs, Timestamps, SID, userAccountControl)
  • Requires server to support RFC 2696: Simple Paged Results for proper pagination
    • By default the first 1000 entries are shown, and it errors if there are more results
    • Use --all to show all results

Authentication, Protocol, Ports

ldaptool always uses TLS for password based authentication, and SASL GSS-API over non-TLS for Kerberos ones.

Config file

Location: ~/.config/ldaptool.yaml

Realms

realms:
  EXAMPLE:
    domain: "example.com"
    servers: server1 server2
    account: "bind@example.com"
    password_folder: mainaccounts
  EXAMPLE.admin:
    domain: "example.com"
    servers: server1 server2
    account: "CN=admin,OU=Admins,DC=example,DC=com"
    password_folder: adminaccounts
  EXAMPLE.admin2:
    domain: "example.com"
    servers: server1 server2
    account: "CN=admin,OU=Admins,DC=example,DC=com"
    password_file: localadmin2
    password_folder: adminaccounts
  SUB:
    domain: "sub.example.com"
    servers: subserver1 subserver2
    forest_root_domain: "example.com"

The servers field is a whitespace separates list of hostnames in the domain.

If a password manager is used, the password_file (defaults to names derived from account) and password_folder fields determine the name of the file ("secret") queried from the password manager. Here the following file names would be used:

  • EXAMPLE: mainaccounts/bind
  • EXAMPLE.admin: adminaccounts/example.com/Admins/admin
  • EXAMPLE.admin2: adminaccounts/localadmin2

If the account field isn't present ldaptool always uses kerberos; if --krb is used, account is ignored.

Windows AD has a concept of a "global catalog" across all domains in a AD Forest; it uses separate ports (3268 without TLS and 3269 with TLS). The forest_root_domain field can be used to set a search base for global catalog (--gc) queries (usually the forest root should be parent domain).

Unless specified with --base the search base is derived from domain (or forest_root_domain with --gc) as DC=... for each DNS label.

Script as password manager

password-script: keyring local decrypt

This configures a script as password manager.

Either takes a string (split by shlex.split) or a list of strings. The password name is appended as last argument.

keyringer

keyringer:
  keyring: yourkeyringname
  folder: ldapquery

This configures keyringer (based on GPG) as password manager.

keyringer need a "keyring" to search in, and you can (optionally) specify a folder to be prefixed to the password names created from the realm.

keepass

keepass: /home/me/mypasswords.kdbx

This configures KeePass as password manager; it will prompt for your master password every time.