Ldap Commands Cheat Sheet

Is it Vintela authentication system or Quest authentication system or Dell or Quest again or One Identity or Safeguard authentication service? I think it depends what version you run and/or when you started using it. Its quite a mess for people who have used the software for last 15+ years but luckily different versions have one thing in common – vastool command-line utility which typically is installed into /opt/quest/bin/vastool. I suggest to verify do you have /opt/quest/bin in your PATH environment variable. This page may be too long to be a cheat-sheet but you can always use search. In some places you might find also comparisons with alternative AD/LDAP integration tool SSSD.

Windows Ldap Command Line
Ldap Commands Cheat Sheet Fortnite
Ldap Commands Cheat Sheet Pdf
Ldap Commands Cheat Sheet Download
Ldap Search Command
Ldap Commands Cheat Sheet Roblox

Basic stuff

vastool has a lot of sub-commands, you can see them just by running vastool without any parameters as below. Some vastool sub-commands have also their own sub-sub-commands.

LDAP Injection Cheat Sheet What is LDAP Injection? LDAP injection is the technique of exploiting web applications that use client-supplied data in LDAP statements without first stripping potentially harmful characters from the request. When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter. Open Web Application Security Project Cheat Sheets # The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These Cheat Sheetss were created by various application security professionals who have expertise in specific topics. This page may be too long to be a cheat-sheet but you can always use search. In some places you might find also comparisons with alternative AD/LDAP integration tool SSSD. Vastool has a lot of sub-commands, you can see them just by running vastool without any parameters as below. Some vastool sub-commands have also their own sub.

You can always specify user and password in vastool command with -u username and -p password but you can also use a principal host/ if your host is already joined to AD.

NB! USE links below, in the main vastool usage info to jump to relevant command. If there is no link, its not covered…. at least not yet.

If you need help for specific vastool command you can run it with -h command e.g. vastool -h status but it does not work with all commands (like inspect).

vastool status

View status about the operating environment. Really useful to see whats going on like are you joined and so on.

Show basic status information

vastool flush

Flush cached client daemon information. Run it to avoid anomalies after config changes. Can flush by cache or all if you omit command.

Flush all caches:

Hint: vastool flush is same as sss_cache -E if you are using SSSD.

vastool join

Join the computer to the domain. Joining to domain can be done with username /password or username and pre-generated keytab. Username must have join/write privileges in AD so I suggest to generate keytab instead of password and safeguard the keytab as much as possible. Deleting keytab from host right after joining is a good idea and also regular password changes along with the keytab re-generation. It is also possible to implement centralized joining solution so that host-being-joined never sees the credentials, just gets the host keytab.

join host to domain. Command below will join host to domain example.com and creates the computer object in ldap container/path which has DN “OU=Servers,DC=example,DC=com”.

“join” host to domain with pre-generated keytab. useful with centralized joining solution where you actually perform most of the joining actions (create computer object in AD, generate host keytab add SPN-s) on different server. This also means that you don’t need to have high privilege credentials (for AD modifictaions) on target host. Generally this kind of “joining” means only that vastool will generate configuration file vas.conf and configures nsswitch and pam.

Same as previous – define a site and static domain controllers for already joined host. This is useful when you move host to the network where domain controllers cant be located with DNS lookup (SRV record query) and might be also read-only.

AS previous example, this command will also just generate vas.conf and do nsswitch/pam config. This will add following into vas.conf (in addition to the previous config if domain remains the same)

So if you don’t want to run command above, you could just add manually this content to vas.conf and restart the vasd.service assuming nsswitch and pam are already configured.

vastool unjoin

Remove the local computer from the domain. Removes the computer object and disconnects from domain. Also useful to run in the beginning of re-joining if needed.

Unjoin localhost from domain

vastool search

Perform LDAP searches. You can search by any attribute and filter out attributes as you need in the result. Only limitation will be your LDAP query making capability.

Searching user/account attributes, if account is found lists all attributes:

Search account/user group memberships, displays only memberOf attributes:

Note that first line in the search result is account DN, so if you need to calculate number of groups user belongs to, you can send result trough wc and decrease by one or just pipe it trough grep like this

Search account/user by UNIX USER/GROUP ID and list all attributes if found:

Search objects what user is “owning”

Search user mobile / cellphone number

Search users who’s password never expires and filter out account names.

Search group by group name and list all info – essentially searching groups is done by same sAMAccountName attribute as searching for users.

Search group and display all group members:

Note that first line in the search result is account DN, like the user search few block above.

vastool attrs

List an objects attribute(s). This is a bit similar to vastool search but I guess that you are limited with showing attributes only for one object and cant run any advanced LDAP search queries.

Get GROUP attributes

Get USER attributes

Get COMPUTER attributes (must know DN)

Windows Ldap Command Line

vastool list

List users or groups and their attributes.

List unix-enabled users and groups. Without -l option your query will be run against local cache only and might not reflect very recent changes. As you query local cache you don’t need to use any credentials to run this query.

List all users or groups, including the ones which are not unix-enabled – which do not have user / group ID defined in AD. With -a option you can list also non unix-enabled users but this only seems to work together with -l option. Be careful when using -al – in large environments as its slow and might result in hundreds of thousands lines in result.

List users allowed to log in … or denied. -l option here is not supported. -a option should show you also non-unix-enabled users which somehow e.g. trough group membership should have access to your host (or not with users-denied). I have not tested it but if it works, its a good way to detect login issues like user group access but someone forgot to unix-enable user’s account. Note that users-denied query might have thousands of results in large environments but as it runs against local cache its pretty fast.

vastool user

User account tools. Useful for managing users including checking is user allowed to log in and what configuration e.g. AD group membership grants the access.

Check is user allowed to log in and if it is, what grants it with the sample response

Hint: vastool user checkaccess johndoe is same as sss_ctl user-checks johndoe if you are using SSSD.

vastool ktutil

Ldap Commands Cheat Sheet Fortnite

Manage entries in a keytab. Useful for listing, adding and removing principals in keytab.

list keytab principals. If you don’t specify keytab file with -k option, you get principals list from hosts default keytab.

add host fqdn as alias to short name into keytab. This is very useful to get login with kerberos ticket working. If you have any CNAME-s in the DNS for the host, you need to add them as alias to host keytab and into servicePrincipalName (multi-value) attribute in LDAP.

vastool group

Modify group membership. Adding/removing accounts & computer objects to/from groups.

add localhost to LDAP group

vastool delete

Delete a user, group, computer, service or AD object.

delete computer object with sample output.

vastool create

Create a user, group, computer, or service object in AD.

create computer object in ldap container/path which has DN “OU=Servers,DC=example,DC=com” with sample output.

vastool passwd

Change your password, or set another user’s password

reset computer object password and generate host keytab with sample output. This allows you to join other hosts in centralized way without having to spread credentials. It generates new keytab with random password .

vastool info

View information about the operating environment

generate kerberos config file with vastool info toconf

vastool inspect

Get the value of a configuration setting. Useful to verify contents of the vasd config file /etc/opt/quest/vas/vas.conf and then modify it with vastool configure if needed.

inspect vasd configuration. Below are commands to inspect different configuration parameters in vasd section.

vastool configure

Update configuration files to use the QAS components

configure pam. This configures pam. It is not needed to run it after join as its executed automatically within the join process (but you can skip it during joining).

configure nss. This adds vas into the list of passwd and group services. It is not needed to run it after join as its executed automatically within the join process (but you can skip it during joining).

configure vas. This allows configuring main vasd configuration parameters online, without manually configuring them in the vas.conf and restarting the service. A good way to learn about the different configuration parameters is man vas.conf

vastool configure vas vas_auth perm-disconnected-users. list of groups or users able to log in even if AD connection is lost, separated by spaces.

vastool configure vas vasd perm-disconnected-update. minutes between updating cached users credentials.

vastool configure vas vasd timesync-interval. hours between timesync. Setting it to -1 makes timesync to run in every 30 seconds and setting it to 0 disables timesync with vasd – useful if you use ntpd or chrony to sync your time.

vastool configure vas vasd user-search-path. Set this to your users OU as best as you can because by default entire AD domain is searched and limiting the scope increases performance especially in the large environments. Configure multiple search paths in same way, just separate them with semicolon.

vastool configure vas vasd group-search-path. Set this to your users OU as best as you can because by default entire AD domain is searched and limiting the scope increases performance especially in the large environments. Configure multiple search paths in same way, just separate them with semicolon.

vastool setattrs

Ldap Commands Cheat Sheet Pdf

Set object attribute(s)

add servicePrincipalName to computer object. This is quite useful if you have CNAMES defined for your host and you want kerberos to work with them. Note that ServicePrincipalName is multi-value attribute and when you want to update it with some new value, you should specify also the existing ones which are retrievable with attrscommand.

vastool daemon

Manage daemons – this is just a wrapper for service command. You can use it to manage also other daemons, not just the ones related to QAS like vastool. This could be potentially also security issue.

Although the help suggest that you can run only start/stop/status actions against damones like vasd and ipmon, you can run all actions supported by service command against all daemons:

vastool auth

Authenticate a user to a service and optionally extract Kerberos authentication data. When run, the command must be run as a user that has access to the service
principal’s corresponding keytab file.

As I have not used this command so much that I could provide usage examples, better turn to some other cheat-sheet for examples or run man vastool and scroll/search to “vastool auth”. It has pretty good explanation what it does along with the examples.

vastool isvas

Check to see if a given user is an Active Directory user.

Few examples:

-p prints out same info as you get with getent passwd.

vastool kinit

Obtains and caches tickets

You can either authenticate with password:

Or authenticate with keytab:

To verify that you got a ticket, use vastool klist shown below.

vastool klist

List Kerberos tickets stored in a user’s credentials cache.

If you managed to authenticate yourself successfully and get a ticket with vastool kinit then you can list your tickets cache as follows:

vastool kdestroy

Ldap Commands Cheat Sheet Download

Delete tickets from a user’s credential cache.

It drops your ticket cache file along with the tickets inside it. Example would be useless.

vastool license

View currently installed licenses or add new ones.

Feel free to run it to see license info. Also reports how many Unix-enabled users are in use.

Ldap Search Command

If you found this useful, say thanks, click on some banners or donate, I can always use some beer money.

Ldap Commands Cheat Sheet Roblox

If you like to learn vi/vim macros, how to use tabs, 30+ copy-paste buffers instead of just one – look at my vi&vim cheat-sheet