0 0 Share PDF

How to test LDAP query


Current administration UI does not allow LDAP query test before executing the synchronization. This article describes how to test using enzi ldapsearch.


Administrator has following:

  • Access to UCP manager node, or administrative access via client bundle
  • DN of bind user and credential
  • URL for LDAP server
  • Certificate for LDAP server if secure connection is required
  • baseDN for users

When to Use This Tool

Use this tool when you are about to run synchronize large number of users and groups. It is advisable to test how many users are about to be brought in.


LDAP synchronization is handled by UCP's management container named ucp-auth-api. In it, a tool named enzi ldapsearch is bundled for troubleshooting LDAP query issues.

Here are steps:

  1. Connect to UCP manager node via SSH or client bundle.

  2. Log into ucp-auth-api:

    docker exec -it ucp-auth-api sh
  3. Set variables so you can easily try out various filters:

    # specify URL of LDAP
    export LDAP_URL='ldap://' 
    # base DN of where users and groups are lcoated
    export BASE_DN='OU=NorthAmerica,DC=mycompany,DC=com'
    # DN for the user used for synchronization
    export BIND_DN='CN=ldapadmin,OU=NorthAmerica,DC=mycompany,DC=com'
    # DN password
    export BIND_PASS='*********************'
  4. Execute the query using enzi ldapsearch like this:

    # example 1 "number of users on the Base DN"
    enzi ldapsearch -H $LDAP_URL \
                    -b $BASE_DN \
                    --bind-dn $BIND_DN \
                    --bind-password $BIND_PASS \
                    (objectClass=person) | grep NumResults: 
    # example 2 "number of users on the Base DN 
    # who are also member of 'CN=Sales,OU=NorthAmerica,DC=mycompany,DC=com'"
    enzi ldapsearch -H $LDAP_URL \
                    -b $BASE_DN \
                    --bind-dn $BIND_DN \
                    --bind-password $BIND_PASS \
                    (memberOf='CN=Sales,OU=NorthAmerica,DC=mycompany,DC=com') | grep NumResults: