Querying AD with ldapsearch
Prev Linux Authenticating against Active Directory Next

Querying AD with ldapsearch

List users:

ldapsearch -LLL  -H ldap://wspace.mydomain.com -x  -D 'WSPACE\ENUMuser' -w 'ENUMpass' -E pr=1000/noprompt -b 'ou=mydomain,dc=wspace,dc=mydomain,dc=com' '(&(objectClass=person)(uidNumber=*))' SAMAccountName uid uidNumber
<snip>
dn: CN=A. Prentice,OU=Staff,OU=Users,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com
sAMAccountName: U1234567
uid: U1234567
uidNumber: 41234567
<snip>
# pagedresults: cookie=

Let's break that down:

ldapsearch  # the command itself
-LLL  # just a particular way to display the results
-H ldap://wspace.mydomain.com  # the URL where the LDAP server listens
-x  # use simple authentication, not SASL
-D 'WSPACE\ENUMuser'  # the account to use to authenticate to LDAP
-w 'ENUMpass'  # the password that goes with the account on the previous line
-E pr=1000/noprompt  # ask the server for all pages, don't stop after one
-b 'ou=mydomain,dc=wspace,dc=mydomain,dc=com'  # the base of the search. We don't want results from e.g. 'ou=blah,dc=wspace,dc=mydomain,dc=com'
'(&(objectClass=person)(uidNumber=*))'  # Ask for any entry that has attributes objectClass=person and uidNumber has a value
SAMAccountName uid uidNumber  # Show only these attributes

List the bulk of machines:

ldapsearch -LLL  -H ldap://wspace.mydomain.com -x  -D 'WSPACE\ENUMuser' -w 'ENUMpass' -E pr=1000/noprompt -b 'ou=computers,ou=mydomain,dc=wspace,dc=mydomain,dc=com' name|grep ^name:

... list a few more:

ldapsearch -LLL  -H ldap://wspace.mydomain.com -x  -D 'WSPACE\ENUMuser' -w 'ENUMpass' -b 'cn=computers,dc=wspace,dc=mydomain,dc=com'

... and yet more:

ldapsearch -LLL  -H ldap://wspace.mydomain.com -x  -D 'WSPACE\ENUMuser' -w 'ENUMpass' -b 'ou=extra workstations,ou=computers,ou=mydomain,dc=wspace,dc=mydomain,dc=com'

Troubleshooting

1.

I get a size limit exceeded message from ldapsearch.

That's a client side problem, not server side. The client should simply accept multiple pages of output, and ldapclient takes the -E option to make it do just that, as shown in the examples.

2.

Ldapsearch doesn't work with the DNs from this page.

No. The Distinguished Names shown here are not standard, and no standard ones can be made up. You have to substitute your own. You can use a graphical LDAP client to browse the server for clues, or sometimes you can make do with ldapsearch with its scope set to one:

ldapsearch -LLL  -H ldap://wspace.mydomain.com -x  -D 'WSPACE\ENUMuser' -w 'ENUMpass' -b 'ou=mydomain,dc=wspace,dc=mydomain,dc=com' -s one dn

3.

Ldapsearch is giving me simple bind failed.

Your LDAP server (i.c. the AD controller(s)) may require signing. That means that you cannot use simple bind. You have to use Kerberos authentication to contact the LDAP service.

So you 'll first have to configure Kerberos (see ). You can then do Kerberos-authenticated ldapsearch:

kinit ENUMuser
      ldapsearch -LLL -H ldap://tspace.mydomain.com -E pr=1000/noprompt -b 'OU=MYDOMAIN,DC=tspace,DC=mydomain,DC=com'

4.

I do such Kerberos-authenticated ldapsearch, but I got:

ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot determine realm for numeric host address)

Reverse DNS lookup may be broken. It may still happen even if you do not use IP numbers, but host names in the ldapsearch command. Apparently, ldapsearch calls GSS routines with an IP number, not a host name, as a parameter. The name of the server is thus lost and has to be looked up through DNS. So reverse lookup must work.

To make up for broken DNS, you can also put the server's name in /etc/hosts, of course.

5.

On a rather clean host, I get ldap_sasl_interactive_bind_s: Unknown authentication method (-6) when doing Kerberos-authenticated ldapsearch.

This may happen if you miss some libraries that ldaputils doesn't Depend on but recommends. The command sudo apt-get install libsasl2-modules-gssapi-heimdal fixes this.