Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

LDAP Command Examples

This section explains how to use the ldapdelete, ldapmodify, and ldapsearch utilities to configure the server.

Searching for Records

You can use the ldapsearch command to extract information from the LDAP tree. The ldapsearch command can be used to find sessions either by a specific NAS or NAS and session start time combination. The command shown in Figure 201 lets you extract information about all RADIUS Native Users.

Figure 201: ldapsearch Command

ldapsearch Command

Note: The LCI query limits only to 100 records when you search for current sessions using the ldapsearch utility. This avoids any LCI query from destabilizing either the SBRC on which it is running, or the SSR itself by holding record locks while reading.

Make sure to include a blank space between each option (for example, -p) and its value (for example, 354). Command syntax is case-sensitive. See Table 61.

Table 61: Searching for Records Using the ldapsearch Command

ldapsearch Option

Meaning

-V 2

Use LDAP Version 2 to communicate with the server.

This option is not required, but it improves the performance of the transaction.

Note: You must use the -P 2 option in the following conditions:

  • On a Solaris machine, if you use the LDAP version 2 that is shipped with the SBR Carrier package.
  • On a Linux machine, if you use the LDAP version 2 that is installed in your system.

Note: The LDAP interface in SBR Carrier complies only with version 2 of the LDAP specification.

-p 354

Use TCP port 354 to communicate with the LDAP interface of the server.

The -p value must match the TCP port setting in the [LDAP] section of radius.ini. If the -p option is not specified, the LDAP utilities contact Steel-Belted Radius Carrier on the default port number (TCP port 389).

-h 192.168.45.12

Contact a remote host at the specified address or name.

By default, ldapsearch tries to connect to the local host.

-D “cn=oper,o=radius”

Use the oper administrative account to authenticate the command.

Note: You can use any administrative account name in place of oper in this example. Do not change the o=radius argument.

-w radadmin

Use an authentication password of radadmin.

Note: The -w parameter value (in this case, radadmin) must match the password of the account named by the -D parameter.

-s sub

Perform a recursive subtree search from the base.

-T

Do not wrap long output lines to the next line.

-b “radiusclass=Client,o=radius”

Specifies the base from which the search operation starts.

radiusname=*

Specifies the selection criteria for the search.

Executing the ldapsearch command shown in Figure 201 against a Steel-Belted Radius Carrier server containing two Native User definitions produces an LDIF file similar to the output shown in Figure 202.

Figure 202: Search Results

Search Results

Modifying Records

You can use the ldapmodify utility to update the Steel-Belted Radius Carrier configuration.

ldapmodify -c -V 2 -h example.host.com -p 354
-D “cn=oper,o=radius” -w radadmin -f filename

Be sure to include a blank space between each option (for example, -p) and its value (for example, 354). Command syntax is case-sensitive. See Table 62.

Table 62: Modifying Records Using the ldapmodify Command

ldapmodify Option

Meaning

-c

Run the command in continuous mode; do not stop on errors.

-V 2

Use LDAP Version 2 to communicate with the server.

This option is not required, but it improves the performance of the transaction.

Note: You must use the -P 2 option in the following conditions:

  • On a Solaris machine, if you use the LDAP version 2 that is shipped the SBR Carrier package.
  • On a Linux machine, if you use the LDAP version 2 that is installed in your system.

Note: The LDAP interface in SBR Carrier complies only with version 2 of the LDAP specification.

-h example.host.com

Contact a remote host at the specified address or name.

If the -h option is not used, ldapsearch connects to the local database.

-p 354

Use TCP port 354 to communicate with the LDAP interface of the server.

The -p value must match the TCPPort setting in the [LDAP] section of radius.ini. If the -p option is not specified, the LDAP utilities contact Steel-Belted Radius Carrier on the default port number (TCP port 389).

-D “cn=oper,o=radius”

Use the oper administrative account to authenticate the command.

Note: You can use any administrative account name in place of oper in this example. Do not change the o=radius argument.

-w radadmin

Use an authentication password of radadmin.

Note: The -w parameter value (in this case, radadmin) must match the password of the account named by the -D parameter.

-f filename

Specifies the input LDIF file to process.

The LDIF files generated by ldapsearch differ from those required for input to ldapmodify. The ldapmodify input files must contain a changetype entry immediately after each dn entry. The changetype entry specifies how to use the data to change the LDAP database.

The full syntax for changetype within each transaction is as follows:

dn: distinguished-name-of-entry
changetype: keyword
subkeyword: attribute
attribute: value
changetype: keyword
subkeyword: attribute
attribute: value
.
.
.

Where:

  • keyword can be add, modify, or delete.
  • subkeyword can be (respectively): add, replace, or delete.
  • attribute can be any LDAP attribute in the entry.
  • value is the value to assign to the attribute.

Repeated changetype: keyword entries are not required within a transaction unless you change the keyword. From top to bottom within the transaction, the latest keyword applies until another changetype: keyword entry is provided. The following syntax is valid if the same keyword applies throughout the transaction:

dn: distinguished-name-of-entry
changetype: keyword
subkeyword: attribute
attribute: value
subkeyword: attribute
attribute: value
subkeyword: attribute
attribute: value
.
.
.

subkeyword: attribute entries are optional and indicate that you want to apply the change to a specific attribute within the entry. If no subkeyword: attribute entries in the transaction are found, the change applies to the entire entry. For example, it is faster to delete an entire entry:

dn: radiusname=TINYCO.COM,radiusclass=Proxy,o=radius
changetype: delete

but if you want to delete only a few attributes from the entry, you can do so:

dn: radiusname=TINYCO.COM,radiusclass=Proxy,o=radius
changetype: delete
delete: retry-count
-
delete: include-in-auth-list

If the subkeyword is add or replace, an attribute: value entry must appear immediately following the subkeyword: attribute entry. If the subkeyword is delete, the attribute: value entry does not apply and should be omitted.

The following LDIF file can be used with an ldapmodify command.

Figure 203: Sample LDIF File

Sample LDIF File

Note: To delete the proxy entry for TINYCO.COM, issue the following command:

dn: radiusname=TINYCO.COM,radiusclass=Proxy,o=radius
changetype: delete

Importing Records from Another LDAP Database

To import entries from one LDAP database into another, run the ldapsearch command on the first database. Request only the attributes you want for the new database. When ldapsearch completes processing, edit the output LDIF file. After each line that begins with dn:, add a single line containing the text changetype: add. Once your editing is complete, run an ldapmodify -f command that references the new LDIF file. After the ldapmodify command is executed, your new database is populated with the records you extracted from the old database.

The LDIF file shown in Figure 204 is derived from the output of the ldapsearch command. When specified as the input to an ldapmodify -f command, the contents of the file are added to the target database.

Figure 204: Adding Records with an LDIF File

Adding Records with an LDIF File

Deleting Records

The ldapdelete command removes records from the LDAP database. The ldapdelete command can be used to delete records either by a specific NAS or NAS and session start time combination. For example, to delete entries names USER1 through USER5, add the information shown in Figure 205 to a file called deletedemo.ldf.

Figure 205: Deleting Records with an LDIF File

Deleting Records with an LDIF File

Now, pass the deletedemo.ldf file to the ldapdelete command.

ldapdelete -V2 -h hostname -p 667
-D “cn=admin,o=radius” -w password -f deletedemo.ldf

Note: Verify that the dn: values that usually appear in these entries are not a part of the entries in your file, because they cause the command to fail.

You can use ldapdelete to remove records from the LDAP database without having to supply a file. For example, to delete the native user record identified as USER1, enter the following:

ldapdelete -V2 -h hostname -p 667
-D “cn=admin,o=radius” -w password “radiusname=USER1,radiusclass=native-user,o=radius”

You can cause records to be deleted by means of the ldapmodify command, if the entries in the text file contain the line changetype: delete. Consider the sample LDIF file named deletemodify.ldf shown in Figure 206.

Figure 206: deletemodify.ldf Example

deletemodify.ldf Example

The deletemodify.ldf file can be passed to the ldapmodify command as follows:

ldapmodify -V2 -h hostname -p 667 -D”cn=admi,o=radius”
-w password -f deletemodify.ldf

Caution: On some LDAP servers, an error can cause the deletion of a container without prompting for confirmation. This can, in turn, cause the entire directory server to fail.

Searching for Active Sessions

You can use the ldapsearch command to search for an active session and display custom CST attributes, as shown in the following example:

# ldapsearch -p 667 -Dcn=admin,o=radius -w radius -b user=test,radiusstatus=sessions_by_user,o=radius objectclass=*

The following is a sample output:

Sample Output

ldap_simple_bind: Protocol error
ldap_simple_bind: additional info: version not supported
ldapsearch: the server doesn't understand LDAPv3; trying LDAPv2 instead...
version: 1
dn: unique-session-id=025d1c495037fd500000001d00000000,client=WLC2800,user=5C:
 0A:5B:77:7D:8A,radiusstatus=sessions_by_user,o=radius
objectclass: top
objectclass: radiusstatus
radiusstatus: sessions_by_user
generic1: EAP-SRV
client: WLC2800
acct-session-id: SESS-1069-080844-77203-f1e48
nas-ip-address: 10.15.1.1
nas-port: 1069
nas-port-type: 19
session-start-time: 1346091650
fullname: 5c:0a:5b:77:7d:8a
called-station-id: A8-D0-E5-3C-38-40:JWO-SEC
calling-station-id: 5C-0A-5B-77-7D-8A
elapsed: 1001

Modified: 2018-01-11