LDAP WhoAmI Tool

Discover how to use the LDAP WhoAmI tool to identify users and manage directory access effectively in LDAP environments.

Updated at March 17th, 2026

+ More

Table of Contents

Basic Syntax Example Using LDAP Example Using LDAPS (Secure LDAP) Using SASL EXTERNAL with LDAPI Testing Authentication Without a Bind DN Verbose Output Using SASL Authentication Troubleshooting Authentication Common Errors Invalid credentials Anonymous bind disallowed Cannot contact server

ldapwhoami is an OpenLDAP command-line utility used to determine the identity that the LDAP server sees after authentication.

It is commonly used to:

verify authentication credentials
test LDAP bind operations
confirm SASL identity mappings
troubleshoot authentication issues

The command performs a Who Am I? extended operation against the LDAP server and returns the authorization identity.

Basic Syntax

ldapwhoami [options]

Example:

ldapwhoami -x -H ldap://ldap.example.com -D "cn=admin,dc=example,dc=com" -W

Option	Meaning
`-x`	Use simple authentication
`-H`	LDAP server URI
`-D`	Bind DN
`-W`	Prompt for password

Example Using LDAP

This example authenticates using a standard LDAP connection.

ldapwhoami -x -H ldap://ldap.example.com -D "uid=jdoe,ou=people,dc=example,dc=com" -W

Example output:

dn:uid=jdoe,ou=people,dc=example,dc=com

This confirms that the authentication was successful and identifies the bound LDAP identity.

Example Using LDAPS (Secure LDAP)

If your LDAP server requires TLS encryption, use ldaps. ldaps typically uses port 636

ldapwhoami -x -H ldaps://ldap.example.com -D "uid=jdoe,ou=people,dc=example,dc=com" -W

Using SASL EXTERNAL with LDAPI

Administrators often use ldapwhoami to verify local administrative access using the ldapi socket and SASL EXTERNAL authentication.

ldapwhoami -Y EXTERNAL -H ldapi:///

Example output:

dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

This confirms the identity derived from the local Unix credentials.

Testing Authentication Without a Bind DN

ldapwhoami can also test anonymous authentication.

ldapwhoami -x -H ldap://ldap.example.com

Example output:

anonymous

If anonymous binds are disabled, you may see:

ldap_bind: Inappropriate authentication (48)
additional info: anonymous bind disallowed

Verbose Output

To display additional diagnostic information, use the -v option.

ldapwhoami -v -x -H ldap://ldap.example.com -D "uid=jdoe,ou=people,dc=example,dc=com" -W

This can help troubleshoot authentication problems.

Using SASL Authentication

If your LDAP environment uses SASL mechanisms such as GSSAPI (Kerberos), ldapwhoami can confirm the authenticated identity.

Example:

ldapwhoami -Y GSSAPI -H ldap://ldap.example.com

Example output:

dn:uid=jdoe,ou=people,dc=example,dc=com

This confirms the Kerberos-authenticated identity.

Troubleshooting Authentication

ldapwhoami is frequently used to diagnose authentication issues.

Common checks include:

verifying credentials
confirming SASL mappings
validating TLS connections
confirming authorization identity

Example troubleshooting command:

ldapwhoami -v -x -H ldaps://ldap.example.com -D "uid=jdoe,ou=people,dc=example,dc=com" -W

Common Errors

Invalid credentials

ldap_bind: Invalid credentials (49)

The password or bind DN is incorrect.

Anonymous bind disallowed

ldap_bind: Inappropriate authentication (48)
additional info: anonymous bind disallowed

Anonymous authentication is disabled on the server.

Cannot contact server

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Possible causes include:

network issues
incorrect hostname
TLS certificate problems

More information on using ldapwhoami can be found here.

cli identity

LDAP WhoAmI Tool

Basic Syntax

Example Using LDAP

Example Using LDAPS (Secure LDAP)

Using SASL EXTERNAL with LDAPI

Testing Authentication Without a Bind DN

Verbose Output

Using SASL Authentication

Troubleshooting Authentication

Common Errors

Invalid credentials

Anonymous bind disallowed

Cannot contact server

Related Articles