Personal tools
University Computing Service

University Lookup Directory

Using the directory to make LDAP queries

The use of the directory for looking up individual email addresses from within a mail client is described elsewhere, as is the general use of Lookup for individual searches using the web interface. The information below is likely to be of use mainly to technical staff.

The directory can be searched by sending secure LDAP (LDAPS) queries from sources other than a mail program. This facility is likely to be useful to administrators using the Lookup "groups" feature to control privileged access to resources. Note that this process can only be used from within the cam domain, and will only give access to information available to all Cambridge users; it will not show any information which has been restricted, nor display group membership where this is only visible to the group members.

The description below assumes that you are using the ldapsearch command from a Unix system, but most of the detail will apply equally well when searching from other systems. To use the full facilities of the system, you will need to understand the structure of the LDAP tree, and the LDAP attributes available in each class. However, for many of the common requirements it may be enough to look at the examples at the bottom of this page and adapt them appropriately.

The LDAP tree structure follows the split tree model, storing people, institutions and groups in separate branches of the tree. The diagram shows an example of the tree structure.

The attributes associated with each major branch of the tree, with their LDAP attribute names, are listed here.

Examples

These examples all use the Unix ldapsearch command. For many straightforward queries it should be sufficient to adapt these examples using the attribute information provided. Alternative software for LDAP searches may be found at http://ldaptool.sourceforge.net/ or http://www.download32.com/ldapsoft-ldap-browser-i55595.html.

Common queries involve how to do reverse lookups on references. For example, to find the CRSids of all the people in the UCS:

ldapsearch -x -LLL -H ldaps://ldap.lookup.cam.ac.uk -b "ou=people, o=University of Cambridge,dc=cam,dc=ac,dc=uk" "(instid=CS)" uid

To retrieve all the email addresses for people in an institution, there is no need to collect all the CRSids and then do a query for each person to get their email address: instead, use

ldapsearch -x -LLL -H ldaps://ldap.lookup.cam.ac.uk -b "ou=people, o=University of Cambridge,dc=cam,dc=ac,dc=uk" "(instid=CS)" uid mail

To retrieve the members of a group (eg. SMS users):

ldapsearch -x -LLL -H ldaps://ldap.lookup.cam.ac.uk -b "ou=groups, o=University of Cambridge,dc=cam,dc=ac,dc=uk" "(groupid=100905)" uid

or

ldapsearch -x -LLL -H ldaps://ldap.lookup.cam.ac.uk -b "ou=groups, o=University of Cambridge,dc=cam,dc=ac,dc=uk" "(description=*Streaming Media Service users*)" uid

(Note that the description matching is case-insensitive, so *streaming media service* would work just as well.)

To find the groups that a person is a member of:

ldapsearch -x -LLL -H ldaps://ldap.lookup.cam.ac.uk -b "ou=groups, o=University of Cambridge,dc=cam,dc=ac,dc=uk" "(uid=dar17)" groupid description