My notes, things I have learned, and documentation I have created.

Since I started this little investigation of LDAP today, I decided to look into using the ldapsearch command in linux to display Windows Active Directory attributes and information. This is a bit of what I came up with:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “searchbase”

Some explanation:

someinteger: Because of the “noprompt” switch, this number is not really important. All matching entries will be displayed. You can set it some integer with a “prompt” switch, and only that number of entries will be displayed before you are prompted for more. The -E option is available in later versions of openldap. I tested version 2.3. It is not an option in 2.0.

adsuser@mydomain.com: This can be any user account in the directory, because they have read only access to the directory. I used the -W option to prompt me to enter my password, however you can use the -w option and pass it your ADS password on the command line.

searchbase: The search base is where things get interesting. You can use something like the following to search for only users:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com”

Or computers:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=computers,dc=mydomain,dc=com”

Or everything under DC=mydomain,DC=com:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W

You can also filter for certain distinguished names:

This will display attributes and values for all relative distinguished names:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com” -s sub “(cn=*)”

This will display all relative distinguished names that start with the letter “z” under the users distinguished name:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com” -s sub “(cn=z*)”

Fun stuff, but not exactly sure what I would do with this information. Maybe access ADS information without having to login to Windows.