More fun with ldapsearch and Active Directory.
- January 24th, 2012
- Posted in Documentation
- Write comment
Since I started this little investigation of LDAP today, I decided to look into using the ldapsearch command in linux to display Windows Active Directory attributes and information. This is a bit of what I came up with:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D βadsuser@mydomain.comβ -W -b βsearchbaseβ
Some explanation:
someinteger: Because of the βnopromptβ switch, this number is not really important. All matching entries will be displayed. You can set it some integer with a βpromptβ switch, and only that number of entries will be displayed before you are prompted for more. The -E option is available in later versions of openldap. I tested version 2.3. It is not an option in 2.0.
adsuser@mydomain.com: This can be any user account in the directory, because they have read only access to the directory. I used the -W option to prompt me to enter my password, however you can use the -w option and pass it your ADS password on the command line.
searchbase: The search base is where things get interesting. You can use something like the following to search for only users:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D βadsuser@mydomain.comβ -W -b βcn=users,dc=mydomain,dc=comβ
Or computers:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D βadsuser@mydomain.comβ -W -b βcn=computers,dc=mydomain,dc=comβ
Or everything under DC=mydomain,DC=com:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D βadsuser@mydomain.comβ -W
You can also filter for certain distinguished names:
This will display attributes and values for all relative distinguished names:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D βadsuser@mydomain.comβ -W -b βcn=users,dc=mydomain,dc=comβ -s sub β(cn=*)β
This will display all relative distinguished names that start with the letter βzβ under the users distinguished name:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D βadsuser@mydomain.comβ -W -b βcn=users,dc=mydomain,dc=comβ -s sub β(cn=z*)β
Fun stuff, but not exactly sure what I would do with this information. Maybe access ADS information without having to login to Windows.
No comments yet.