LDAP介紹
LDAP概述
LDAP是輕量目錄訪問協議,(LDAP, Lightweight Directory Access Protocol)LDAP是用於訪問目錄服務(特別是基於X.500的目錄服務),LDAP在TCP/IP或其他面向連接的傳輸服務上運行。LDAP是IETF標准的跟蹤協議。
LDAP是目錄非關系型的,不存儲BLOB,讀寫是非對稱的,讀方便,寫麻煩,適合於查詢搜索。LDAP不支持數據庫的事務和回滾機制。
LDAP支持負載的查詢過濾器,使用樹狀結構,類似於互聯網域名、公司組織結構、文件的目錄結構等。
LDAP優勢
- 讀寫效率高:可以將LDAP看作是對讀操作進行優化的一種"樹狀數據庫",在讀寫比例大於7:1時,LDAP性能表現很好,比較適合身份認證。
- 開放的標准協議:不同於SQL數據庫,LDAP客戶端是跨平台的,對幾乎所有的程序語言都是標准的API接口。
- 強認證方式:具有很高的安全級別,在國際化方面,LDAP使用UTF-8編碼存儲各種語言的字符。
- OpenLDAP實現開源:開源軟件OpenLDAP包括了很多新功能,最輕便且消耗系統資源最少,可以基於OpenLDAP進行開發新功能。
- 靈活添加數據類型:LDAP根據schema的內容定義各種屬性之間的從屬關系以及匹配模式。在關系型數據庫中若要為用戶添加一個屬性,需要在表中增加一個字段,如果已有的數據表中增加一個字段,需要更改表的結構,變更比較困難。而LDAP只需要在schema中加入新的屬性,屬性的增加不會影響性能。
- 樹狀結構的數據存儲:LDAP底層是B/B+樹數據結構,整棵樹的任何一個分支都可以單獨放在一個服務器中進行分布式管理,這不僅有利於做服務器的負載均衡,也便於跨地域的服務器部署。在查詢負載大或者企業在不同區域都設有分公司時進行部署突出優勢。
LDAP的主要應用場景
- 機器認證
- 用戶認證
- 用戶/系統組
- 地址簿
- 組織代表
- 資產追蹤
- 電話信息存儲
- 用戶資源管理
- 電子郵件地址查詢
- 應用配置存儲
LDAP工作方式
LDAP是無狀態的客戶端-服務器的工作模式,一台或多台包含了由目錄信息樹組成數據的LDAP服務器。客戶端連接到服務器並詢問一個問題,服務器以一個答案或者指針(客戶端可以獲取其他信息的指針,通常是另一個LDAP服務器)進行響應。無論客戶端連接了哪一台LDAP服務器,都是看到的相同目錄視圖。
LDAP基本術語
Directory 目錄
Directory 目錄是用於存放信息的單元,基於域的命名。
Entry條目
Entry是目錄管理的對象,是LDAP最基本的單元,類似於數據庫中的每一條record記錄。對LDAP的增刪改查都是以Entry為基本單元進行操作的。
每個Entry都有一個唯一的標識(DN,Distinguished Name),DN在語法上是由多個相對的標識名注冊,之間由逗號隔開,如du:cn=Manager,dc=hadoop,dc=apache,dc=org,通過這種層次型語法結構,可以很方便表示出條目在LDAP目錄樹中的位置。
Attribute屬性
每個條目都有很多的Attribute屬性,比如個人信息類有姓名、地址、郵箱等屬性,每個屬性都有名稱以及對應的值,每個屬性值可以是單個,也可以是多個。一些常見的屬性如下:
| 屬性 | 別名 | 說明 |
|---|---|---|
| cn | common name | 通常指一個對象的名稱 |
| dn | distinguished name | 唯一標識名,類似於絕對路徑,每個對象都有一個唯一標識名,如cn=Manager,dc=hadoop,dc=apache,dc=org |
| rdn | relative distinguished name | 相對標識名,類似於相對路徑,如cn=Manager |
| dc | domain component | 通常指定一個域名,比如org.apache.hadoop寫成dc=hadoop,dc=apache,dc=org |
| ou | organizationl unit | 指定一個組織單元的名稱,如ou=groups |
| sn | sur name | 通常指一個人的姓氏,比如sn:Chen |
AttributeType屬性類型
每個屬性多有唯一的屬性類型,屬性類型是約定屬性值的數據格式以及語法類型,屬性類型約定屬性值可以有多少個並約定屬性查詢時的匹配規則、排序、大小寫等規則。
ObjectClass對象類
ObjectClass對象類是屬性的集合,可以將多個屬性封裝成一個對象,比如人員信息這個對象類,包含了姓名,地址,電話等屬性,學生是人員信息的繼承類,除了上面的幾個屬性,還可以有額外的學校、年級、班級等屬性。
通過對象類可以方便的定義條目Entry類型,每個條目可以繼承多個對象類,從而獲得多個屬性。
Schema模式
對象類、屬性類型、語法分別約定了條目、屬性、值,這些構成了模式,模式中的每個元素都有唯一的oid編號。
LDIF:LDAP Interchange Format
在RFC2849中定義的標准,用於規范LDAP的配置和目錄內容等詳細信息的保存,我們一般可以使用.ldif結尾的文件進行LDAP相關配置和目錄內容的增刪改查。
LDAP目錄樹
LDAP中,目錄條目以分層的樹狀結構排列。
傳統指定方式
傳統意義上,這種結構反映的是地理或者組織邊界,代表國家的條目是在樹的頂部顯示,在國家下面是代表州和國家組織的條目。在他們下面可能是代表組織單位、人員、打印機、文檔條目。
網絡指定方式
LDAP的樹狀結構也可以是基於網絡域名來排列,這種命名方式因為DNS定位服務目錄而流行。
LDAP常用命令介紹
常用參數說明
- -f:
-f file.ldif,從文件file.ldif中讀取操作。 - -x:簡單認證。
- -D:
-D binddn,綁定DN。 - -H:
-H URI,通過LDAP統一的資源標識符。 - -h:
-h host,LDAP服務器的ip或者hostname。 - -W:提示綁定密碼,即不在命令上寫密碼,如
ldapadd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -W。 - -w:
-w passwd,需要在命令上指定密碼進行簡單認證,如ldapadd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w 123456。 - -p:
-p port,LDAP服務器的端口。 - -v:顯示運行詳情。
ldapadd命令
為LDAP服務器增加或修改條目Entry。
如:ldapadd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -W -f init.ldif
ldapdelete命令
從LDAP服務器刪除條目Entry。
如:ldapdelete -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w 123456 -h 172.0.0.1 "uid=hdfstest,ou=hadoop,dc=apache,dc=org"
ldapmodify命令
為LDAP服務器增加或修改條目Entry。可以使用.ldif文件
如:ldapmodify -a -H ldap://172.0.0.1:389 -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w 123456 -f modifybarbara.ldif
ldapmodrdn命令
修改條目名稱,重命名。即修改dn。
如:ldapmodrdn -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 "uid=hdfstest,ou=hadoop,dc=apache,dc=org" "uid=hivetest"
ldapsearch命令
從LDAP服務器中搜索條目。
如:ldapsearch -x -h 172.0.0.1 -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w 123456
ldappasswd命令
為LDAP服務器更改密碼。
- -S:交互式提示用戶輸入新密碼
- -s password:指定新密碼,明文的,不建議使用
- -a oldpasswd :指定舊密碼,自動生成新密碼
- -A :提示輸入舊密碼,自動生成新密碼
1)-S 交互式提示用戶輸入新密
ldappasswd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 -h172.0.0.1 "cn=guolitao,ou=mysql,ou=研發中心,dc=hadoop,dc=apache,dc=org" -S
2)-s 指定新密碼,明文的,不建議使用
ldappasswd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 -h172.0.0.1 "uid=zhan_z,ou=運維部,ou=研發中心,dc=hadoop,dc=apache,dc=org" -s 123456
3)-a 指定舊密碼,自動隨機生成新密碼
ldappasswd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 -h172.0.0.1 "uid=zhan_z,ou=運維部,ou=研發中心,dc=hadoop,dc=apache,dc=org" -a 123456
4)-A 提示輸入舊密碼,自動隨機生成新密碼
ldappasswd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 -h172.0.0.1 "uid=zhan_z,ou=運維部,ou=研發中心,dc=hadoop,dc=apache,dc=org" -A
附錄:LDAP命令參數詳解
ldapadd命令
$ ldapadd --help
Add or modify entries from an LDAP server
usage: ldapadd [options]
The list of desired operations are read from stdin or from the file
specified by "-f file".
Add or modify options:
-a add values (default)
-c continuous operation mode (do not stop on errors)
-E [!]ext=extparam modify extensions (! indicate s criticality)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-S file write skipped modifications to `file'
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapdelete命令
$ ldapdelete --help
Delete entries from an LDAP server
usage: ldapdelete [options] [dn]...
dn: list of DNs to delete. If not given, it will be readed from stdin
or from the file specified with "-f file".
Delete Options:
-c continuous operation mode (do not stop on errors)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-r delete recursively
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapmodify命令
$ ldapmodify --help
Add or modify entries from an LDAP server
usage: ldapmodify [options]
The list of desired operations are read from stdin or from the file
specified by "-f file".
Add or modify options:
-a add values (default is to replace)
-c continuous operation mode (do not stop on errors)
-E [!]ext=extparam modify extensions (! indicate s criticality)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-S file write skipped modifications to `file'
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapmodrdn命令
$ ldapmodrdn --help
Rename LDAP entries
usage: ldapmodrdn [options] [dn rdn]
dn rdn: If given, rdn will replace the RDN of the entry specified by DN
If not given, the list of modifications is read from stdin or
from the file specified by "-f file" (see man page).
Rename options:
-c continuous operation mode (do not stop on errors)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-r remove old RDN
-s newsup new superior entry
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapsearch命令
$ ldapsearch -help
usage: ldapsearch [options] [filter [attributes...]]
Search options:
-a deref one of never (default), always, search, or find
-A retrieve attribute names only (no values)
-b basedn base dn for search
-c continuous operation mode (do not stop on errors)
-E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
[!]domainScope (domain scope)
!dontUseCopy (Don't Use Copy)
[!]mv=<filter> (RFC 3876 matched values filter)
[!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)
[!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]
(RFC 2891 server side sorting)
[!]subentries[=true|false] (RFC 3672 subentries)
[!]sync=ro[/<cookie>] (RFC 4533 LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (refreshAndPersist)
[!]vlv=<before>/<after>(/<offset>/<count>|:<value>)
(ldapv3-vlv-09 virtual list views)
[!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]
[!]<oid>[=:<b64value>] (generic control; no response handling)
-f file read operations from `file'
-F prefix URL prefix for files (default: file:///tmp/)
-l limit time limit (in seconds, or "none" or "max") for search
-L print responses in LDIFv1 format
-LL print responses in LDIF format without comments
-LLL print responses in LDIF format without comments
and version
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-s scope one of base, one, sub or children (search scope)
-S attr sort the results by attribute `attr'
-t write binary values to files in temporary directory
-tt write all values to files in temporary directory
-T path write files to directory specified by path (default: /tmp)
-u include User Friendly entry names in the output
-z limit size limit (in entries, or "none" or "max") for search
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldappasswd命令
$ ldappasswd --help
Change password of an LDAP user
usage: ldappasswd [options] [user]
user: the authentication identity, commonly a DN
Password change options:
-a secret old password
-A prompt for old password
-t file read file for old password
-s secret new password
-S prompt for new password
-T file read file for new password
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapwhoami命令
$ ldapwhoami --help
Issue LDAP Who am I? operation to request user's authzid
usage: ldapwhoami [options]
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
參考
openldap文檔