Ldapsearch using variable will not work

who10 · October 17, 2016, 3:21pm

When I execute the code below with cn set to the $adgroup variable, I get the following error:

Invalid DN syntax (34)
Additional information: 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of:
,ou=Resource,ou=groups,dc=abc,dc=somecompany,dc=com'

If I set cn equal to the group instead of using a variable, the code works perfectly fine.

What am I missing in regard to ldapsearch and variables that is causing this error?

#!/bin/bash
 #reads Groups.txt file and runs a new ldapsearch for group
while read -r adgroup; do
        echo $adgroup
        #ldapsearch connects to ldap, returns and formats member info, and writes to input.txt file
        ldapsearch -x -LLL -E pr=200/noprompt -o ldif-wrap=no -h abc-loc.somecompany.com \
        -D "account@somecompany.com" -w password -b "cn=$adgroup,ou=Resource,ou=groups,dc=abc,dc=somecompany,dc=com" \
         | grep member | sed 's/\\/\\\\/g' > /userid/bin/input.txt
         #reads input.txt file and runs a new ldapsearch for each member entry
        while IFS=":" read -r member info; do
                 #echo $info
                 ldapsearch -x -LLL -E pr=200/noprompt -h abc-loc.somecompany.com \
                -D "account@somecompany.com" -w password -b "ou=End Users,ou=Accounts,dc=abc,dc=somecompany,dc=com" \
                -s sub "distinguishedName=$info" displayName saMAccountName telephoneNumber mail department departmentNumber \
                extensionAttribute1 l st co userAccountControl |
                 #display output string in correct format
                awk -F: '
                NR == 1 {n = split (FLDS, T)
                        }
                        {OUT[$1] = substr ($2, 2)
                        }
                END     {for (i=1; i<=n; i++)   {printf "%s%s", ODL, OUT[T]
                                 ODL = "|"
                                }
                         printf RS
                        }
                ' FLDS="displayName:sAMAccountName:telephoneNumber:mail:extensionAttribute1:department:departmentNumber:l:st:co:userAccountControl"
         #Define input filepath
        done < /userid/bin/input.txt
 #Define Group filepath
done < /userid/bin/GroupsTest1.txt

rbatte1 · October 18, 2016, 5:10am

Please show us the content of the input file, wrapped in CODE tags for clarity. There may be something illegal in there, or perhaps your script has to deal with spaces in a different way.

Kind regards,
Robin

who10 · October 18, 2016, 10:02am

The GroupsTest1.txt file has one line. It is a group that I am wanting to get information from LDAP on. At some point, I'll add more groups to this file. It looks something like this.

ab_abc

The problem seems to be with this portion of code.

"cn=$adgroup,ou=Resource,ou=groups,dc=abc,dc=somecompany,dc=com"

The ldapsearch will not run because this string is not being concatenated properly. It should resolve as

"cn=ab_abc,ou=Resource,ou=groups,dc=abc,dc=somecompany,dc=com"

The input.txt file is blank because the first ldapsearch hasn't run. On a successful run, it will populate, but it doesn't get that far.

RudiC · October 18, 2016, 10:40am

Did you make sure the "GroupsTest1.txt" is a true *nix file, NOT an MS file with DOS line terminators <CR> (0x0d, \r, <carriage return>)? How did you create it?
If assigning adgroup manually on the command line, would the ldapsearch command run correctly?

who10 · October 18, 2016, 12:06pm

I created both .txt files using VI and yes, the search works perfectly fine if I enter the adgroup manually.

I created a new script in an attempt to isolate the problem area and have discovered that the "while read..." portion of the script seems to be causing the issue. If I take it out and modify the script slightly to build a portion of my ldapsearch string as shown below, I get good results in my input.txt file.

#!/bin/bash
 adgroup='ab_abc'
 var='cn='$adgroup
echo $var
var1=$var',ou=Resource,ou=groups,dc=abc,dc=somecompany,dc=com'
echo $var1
 ldapsearch -x -LLL -E pr=200/noprompt -o ldif-wrap=no -h abc-loc.somecompany.com -D "account@somecompany.com" -w password -b $var1 \
| grep member | sed 's/\\/\\\\/g' > /userid/bin/input.txt

It seems that maybe I'm using "while read" incorrectly as it cannot read and set my adgroup variable in a way that any function within the while read loop can interprate it.

RudiC · October 18, 2016, 12:53pm

Just to be on the safe side: post the results of

echo $adgroup | od -ctx1  # inside the while loop, please!
od -ctx1 /userid/bin/GroupsTest1.txt

who10 · October 18, 2016, 2:14pm

Well, all that work only to find that I was in fact using an MS file. I edited the file with VI, but it was created as a MS .txt file.

I ran the code within the loop and saw the \r \n:eek:.

After recreating the file using VI, everything works as expected.

Thanks for your help guys. As frustrating as this is, it has been a good learning experience.