lsldap Command

Note: If an LDAP user is created with a UID > 2 ^ 31, the lsldap command displays it as a negative number.

Purpose

Displays naming service objects from the configured LDAP directory server.

Syntax

lsldap [-a] [ entity [ entry_name | filter ] ]

Description

The lsldap command displays the naming service objects from the configured LDAP directory server. It queries the LDAP server through the secldapclntd daemon. Some or all of the objects of a particular entity can be listed by the lsldap command. By default, the lsldap command displays only the distinguished name (DN) of the returned objects. In addition, the -a flag can be used to view the attributes.

The lsldap command supports the following entities:
Entity objectClass Default attribute name
aapolicies ibm-aixAccountingAdminPolicy ibm-aixAdminPolicyName
aaprojects ibm-aixAccountingProject ibm-aixProjectName
admkeystore ibm-usrkeystore cn
aixpert ibm-aixAixpert ibm-aixpertLabel
aliases mailGroup cn
authorizations ibm-authorization cn
automount automountMap nisObject automountMapNamenisMapName
bootparams bootableDevice cn
domains ibm-aixRBACdomain ibm-aixRBACdomainName
domobjs ibm-aixRBACdomainObject ibm-aixRBACdomainObjectName
efscookies ibm-efskscookies cn
ethers ieee802Device cn
group posixgroupAIXAccessGroup cngroupname
grpkeystore ibm-grpkeystore cn
hosts ipHost cn
netgroup ipNetgroup cn
networks ipNetwork cn
passwd posixAccountAIXAccount uidusername
privcmds ibm-privcmd cn
privdevs ibm-privdev cn
protocols ipProtocol cn
roles aixaccessroles rolename
rpc oncRpc cn
services ipService cn
privfiles ibm-privfile cn
usrkeystore ibm-usrkeystore cn

The automount entity has two object classes. The lsldap command treats automountMap with higher precedence over nisMap by always returning automountMap objects if it finds any, and returning nisMap objects only in the absence of automountMap objects.

For the passwd and group entities, the lsldap command returns the correct objects according to the LDAP client configuration. However, the correct attribute name corresponding to the object classes must be supplied for lsldap passwd attribute=value queries.

If an entity name is not specified from the command line, the lsldap command displays container entries of the entities and any other entries that are siblings of these containers. Users must have root permissions to list the container entries.

The entry_name parameter is the name of the object to be queried. For example, if the entity is passwd, the entry_name is the user account name. The entry_name parameter is equivalent to default attribute name = entry_name. The lsldap command accepts the * wildcard in entry_name for a substring search. All entries are returned if entry_name is not specified.

Instead of entry_name, a filter can also be supplied to search for entries that match certain criteria. Simple filters can be specified as attributename=attributevalue, where attributename is the LDAP attribute name.

The lsldap command prints the result to stdout. If the -a flag is not specified, lsldap prints entries found in the form of DNs, with each DN separated by a blank line. If the -a flag is specified, each entry is printed in ldif format, with a blank line between entries.

Flags

Item Description
-a Displays all attributes of returned objects. By default only the DN of the objects are displayed.

Exit Status

Upon success, the lsldap command returns 0. Upon failure, a nonzero value is returned, with one of the following error messages written to stderr:

Item Description
EIO Connection error.
EINVAL Invalid parameters.
EPERM No permission to run the operation.
ENOMEM Not enough memory.
other errno Other errors.

Security

The lsldap command can be run by any user. It is owned by the root user and security group, and has access permissions of 555.

When listing the passwd entity with the -a option by root user, lsldap returns all attributes of the found users. However, when the same command is run by a nonprivileged user, lsldap returns only the same commonly readable attributes as returned by the lsuser command in addition to the object class information. For all other entities, there is no difference in output regardless of which user runs the command.

Examples

  1. To list all entries of the host entity, type:
    lsldap hosts
    Information similar to the following is returned:
    dn: cn=myhost+ipHostNumber=192.3.193.46,ou=Hosts,cn=aixdata
    
     
    
    dn: cn=starfish+ipHostNumber=192.3.193.47,ou=Hosts,cn=aixdata
    
     
    
    dn: cn=loopback+ipHostNumber=127.0.0.1,ou=Hosts,cn=aixdata
  2. To list host starfish and all of its attributes, type:
    lsldap -a hosts starfish
    Information similar to the following is returned:
    dn: cn=starfish+ipHostNumber=192.3.193.47,ou=Hosts,cn=aixdata
    
    objectClass: top
    
    objectClass: ipHost
    
    objectClass: device
    
    ipHostNumber: 192.3.193.47
    
    cn: loopback
    
    cn: localhost
  3. To list users with names beginning with the letter b, type:
    lsldap passwd "b*"
    Information similar to the following is returned:
    dn: uid=bin,ou=people,cn=aixdata
    
     
    
    dn: uid=bob,ou=people,cn=aixdata
  4. To list user foo and its attributes, type:
    lsldap -a passwd foo
    Information similar to the following is returned:
    dn: uid=foo,ou=people,cn=aixdata
    
    uid: foo
    
    objectClass: account
    
    objectClass: posixAccount
    
    objectClass: shadowAccount
    
    objectClass: top
    
    cn: foo
    
    uidNumber: 259
    
    gidNumber: 1
    
    homeDirectory: /home/foo
    
    loginShell: /usr/bin/ksh
    
    shadowlastchange: 12740
    
    userpassword: {crypt}rNnLQ9TAD2u/k
    
    shadowmin: 5
  5. To list users who run /usr/bin/ksh, type:
    lsldap passwd loginshell=/usr/bin/ksh
    Information similar to the following is returned:
    dn: uid=bin,ou=people,cn=aixdata
    
     
    
    dn: uid=bob,ou=people,cn=aixdata
    
     
    
    dn: uid=foo,ou=people,cn=aixdata

Restrictions

The lsldap command relies on the secldapclntd daemon to work.

Location

/usr/sbin/lsldap