A tool for running LDAP queries and formatting the results using jinja2.

When using LDAP, writing a shell script which uses ldapsearch, typically piped to sed, ends up being the clumsy solution to a variety of problems. If multiple searches are needed, this is not especially efficient because separate connections to the LDAP server are made. There are scripting languages that can hook into a proper ABI for LDAP queries but for typical use cases, a template language can express the desired results more succinctly.

ldapfmt combines minijinja with ldap3. To use, it either pass the path to a template as a parameter or simply use a Unix shebang line and treat the template as a script. A shebang line be skipped so that it doesn't appear in the output but note that line numbers from minijinja don't account for this.

For LDAP connection parameters, /etc/openldap/ldap.conf is parsed.

The following additional Jinja2 functions are defined:

search(filter, [ fields, ... ]) : Return the result of an LDAP search. filter is a standard LDAP filter expression. Results are limited to the specified fields. These are all lists because there can be multiple values with the same key in an LDAP entry. args() : Return command-line arguments error(message) : Abort processing returning status 1 and the specfied error message.

The sample directory contains a number of examples:

permissions_wiki : Dumps groups from FreeIPA where management of the group had been delegated. Output in a MediaWiki format table.

ldap_ssh_authorizedkeys : An example for use with the AuthorizedKeysCommand of sshd which returns ssh public keys for a user, also checking sudo rules for shared-role accounts to add public keys for additional users.

authzsvn : Expands groups in a configuration file for a subversion server.