LDAP Command Examples
This section explains how to use the ldapdelete, ldapmodify, and ldapsearch utilities to configure the server.
Searching for Records
Searching for Records
You can use the ldapsearch command to extract information from the LDAP tree. The ldapsearch command can be used to find sessions either by a specific NAS or NAS and session start time combination. The command shown in Figure 201 lets you extract information about all RADIUS Native Users.
The LCI query limits only to 100 records when you search for current sessions using the ldapsearch utility. This avoids any LCI query from destabilizing either the SBRC on which it is running, or the SSR itself by holding record locks while reading.
Make sure to include a blank space between each option (for example, -p) and its value (for example, 354). Command syntax is case-sensitive. See Table 61.
Table 61: Searching for Records Using the ldapsearch Command
ldapsearch Option | Meaning |
|---|---|
-V 2 | Use LDAP Version 2 to communicate with the server. This option is not required, but it improves the performance of the transaction. Note: You must use the -P 2 option in the following conditions:
Note: The LDAP interface in SBR Carrier complies only with version 2 of the LDAP specification. |
-p 354 | Use TCP port 354 to communicate with the LDAP interface of the server. The -p value must match the TCP port setting in the [LDAP] section of radius.ini. If the -p option is not specified, the LDAP utilities contact Steel-Belted Radius Carrier on the default port number (TCP port 389). |
-h 192.168.45.12 | Contact a remote host at the specified address or name. By default, ldapsearch tries to connect to the local host. |
-D “cn=oper,o=radius” | Use the oper administrative account to authenticate the command. Note: You can use any administrative account name in place of oper in this example. Do not change the o=radius argument. |
-w radadmin | Use an authentication password of radadmin. Note: The -w parameter value (in this case, radadmin) must match the password of the account named by the -D parameter. |
-s sub | Perform a recursive subtree search from the base. |
-T | Do not wrap long output lines to the next line. |
-b “radiusclass=Client,o=radius” | Specifies the base from which the search operation starts. |
radiusname=* | Specifies the selection criteria for the search. |
Executing the ldapsearch command shown in Figure 201 against a Steel-Belted Radius Carrier server containing two Native User definitions produces an LDIF file similar to the output shown in Figure 202.
Modifying Records
Modifying Records
You can use the ldapmodify utility to update the Steel-Belted Radius Carrier configuration.
-D “cn=oper,o=radius” -w radadmin -f filename
Be sure to include a blank space between each option (for example, -p) and its value (for example, 354). Command syntax is case-sensitive. See Table 62.
Table 62: Modifying Records Using the ldapmodify Command
ldapmodify Option | Meaning |
|---|---|
-c | Run the command in continuous mode; do not stop on errors. |
-V 2 | Use LDAP Version 2 to communicate with the server. This option is not required, but it improves the performance of the transaction. Note: You must use the -P 2 option in the following conditions:
Note: The LDAP interface in SBR Carrier complies only with version 2 of the LDAP specification. |
-h example.host.com | Contact a remote host at the specified address or name. If the -h option is not used, ldapsearch connects to the local database. |
-p 354 | Use TCP port 354 to communicate with the LDAP interface of the server. The -p value must match the TCPPort setting in the [LDAP] section of radius.ini. If the -p option is not specified, the LDAP utilities contact Steel-Belted Radius Carrier on the default port number (TCP port 389). |
-D “cn=oper,o=radius” | Use the oper administrative account to authenticate the command. Note: You can use any administrative account name in place of oper in this example. Do not change the o=radius argument. |
-w radadmin | Use an authentication password of radadmin. Note: The -w parameter value (in this case, radadmin) must match the password of the account named by the -D parameter. |
-f filename | Specifies the input LDIF file to process. |
The LDIF files generated by ldapsearch differ from those required for input to ldapmodify. The ldapmodify input files must contain a changetype entry immediately after each dn entry. The changetype entry specifies how to use the data to change the LDAP database.
The full syntax for changetype within each transaction is as follows:
Where:
keyword can be add, modify, or delete.
subkeyword can be (respectively): add, replace, or delete.
attribute can be any LDAP attribute in the entry.
value is the value to assign to the attribute.
Repeated changetype: keyword entries are not required within a transaction unless you change the keyword. From top to bottom within the transaction, the latest keyword applies until another changetype: keyword entry is provided. The following syntax is valid if the same keyword applies throughout the transaction:
subkeyword: attribute entries are optional and indicate that you want to apply the change to a specific attribute within the entry. If no subkeyword: attribute entries in the transaction are found, the change applies to the entire entry. For example, it is faster to delete an entire entry:
but if you want to delete only a few attributes from the entry, you can do so:
If the subkeyword is add or replace, an attribute: value entry must appear immediately following the subkeyword: attribute entry. If the subkeyword is delete, the attribute: value entry does not apply and should be omitted.
The following LDIF file can be used with an ldapmodify command.
To delete the proxy entry for TINYCO.COM, issue the following command:
Importing Records from Another LDAP Database
Importing Records from Another LDAP Database
To import entries from one LDAP database into another, run the ldapsearch command on the first database. Request only the attributes you want for the new database. When ldapsearch completes processing, edit the output LDIF file. After each line that begins with dn:, add a single line containing the text changetype: add. Once your editing is complete, run an ldapmodify -f command that references the new LDIF file. After the ldapmodify command is executed, your new database is populated with the records you extracted from the old database.
The LDIF file shown in Figure 204 is derived from the output of the ldapsearch command. When specified as the input to an ldapmodify -f command, the contents of the file are added to the target database.
Deleting Records
Deleting Records
The ldapdelete command removes records from the LDAP database. The ldapdelete command can be used to delete records either by a specific NAS or NAS and session start time combination. For example, to delete entries names USER1 through USER5, add the information shown in Figure 205 to a file called deletedemo.ldf.
Now, pass the deletedemo.ldf file to the ldapdelete command.
-D “cn=admin,o=radius” -w password -f deletedemo.ldf
Verify that the dn: values that usually appear in these entries are not a part of the entries in your file, because they cause the command to fail.
You can use ldapdelete to remove records from the LDAP database without having to supply a file. For example, to delete the native user record identified as USER1, enter the following:
-D “cn=admin,o=radius” -w password “radiusname=USER1,radiusclass=native-user,o=radius”
You can cause records to be deleted by means of the ldapmodify command, if the entries in the text file contain the line changetype: delete. Consider the sample LDIF file named deletemodify.ldf shown in Figure 206.
The deletemodify.ldf file can be passed to the ldapmodify command as follows:
-w password -f deletemodify.ldf
On some LDAP servers, an error can cause the deletion of a container without prompting for confirmation. This can, in turn, cause the entire directory server to fail.
Searching for Active Sessions
Searching for Active Sessions
You can use the ldapsearch command to search for an active session and display custom CST attributes, as shown in the following example:
# ldapsearch -p 667 -Dcn=admin,o=radius -w radius -b user=test,radiusstatus=sessions_by_user,o=radius objectclass=*
The following is a sample output:
Sample Output
ldap_simple_bind: Protocol error ldap_simple_bind: additional info: version not supported ldapsearch: the server doesn't understand LDAPv3; trying LDAPv2 instead... version: 1 dn: unique-session-id=025d1c495037fd500000001d00000000,client=WLC2800,user=5C: 0A:5B:77:7D:8A,radiusstatus=sessions_by_user,o=radius objectclass: top objectclass: radiusstatus radiusstatus: sessions_by_user generic1: EAP-SRV client: WLC2800 acct-session-id: SESS-1069-080844-77203-f1e48 nas-ip-address: 10.15.1.1 nas-port: 1069 nas-port-type: 19 session-start-time: 1346091650 fullname: 5c:0a:5b:77:7d:8a called-station-id: A8-D0-E5-3C-38-40:JWO-SEC calling-station-id: 5C-0A-5B-77-7D-8A elapsed: 1001