LDAP Search Active Directory

published: 31st of May 2019

Intro

I recently had to migrate authentication for a service from FIPA to Active Directory. It was a bit of fluffing around because the directory structure in FIPA did not exactly align with the directory structure in AD. In this post I will demonstrate how to use the ldapsearch command to search an Active Directory LDAP tree.

You can use Powershell on the AD server In order to find out the required details of the bind account.

cmd 
Get-ADUser -Filter 'Name -like "some_user"' -SearchBase "DC=example,DC=com"

DistinguishedName : CN=some_user,OU=some,OU=group,DC=example,DC=com
Enabled           : True
GivenName         : Some
Name              : some_user
ObjectClass       : user
ObjectGUID        : 96f1ea93-4a9e-42a1-97b6-85f1790d2258
SamAccountName    : some_user
SID               : S-1-5-21-1263631716-347569959-4351110812-1290
Surname           : User
UserPrincipalName : some_user@example.com

The DistinguishedName parameter or the UserPrincipalName can be used as the bind account parameter to search LDAP.

We can now use this information to search AD/LDAP via the ldapsearch command from a linux host.

cmd 
ldapsearch \
    -H ldaps://ad01.example.com -x \
    -b "OU=some,OU=group,DC=example,DC=com" \
    -D "CN=some_user,OU=some,OU=group,DC=example,DC=com" -W

If you are unable to import the certificates and trust the server is legitimate you can ignore self signed certs by adding the LDAPTLS_REQCERT=never parameter to the query.

cmd 
LDAPTLS_REQCERT=never ldapsearch \
    -H ldaps://ad01.example.com -x \
    -b "OU=some,OU=group,DC=example,DC=com" \
    -D "some_user@example.com" -W

An explanation of the options used is as follows.

  • -H - LDAP URI
  • -x - Use simple authentication
  • -b - Base DN search path
  • -D - Bind DN
  • -W - Ask for password

The output of the search yields a lot of useful information. For example the DN of the groups a user belongs to can be used to apply permissions.

cmd 
memberOf: CN=networks,OU=some,OU=group,DC=example,DC=com
memberOf: CN=automation,OU=some,OU=group,DC=example,DC=com

Outro

That's it. Just a quick post with some examples on how to search an Active Directory LDAP service using the ldapsearch linux command line utility.

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-aduser?view=win10-ps