Introduction

I recently had to migrate authentication for a service from FIPA to Active Directory. It was a bit of fluffing around because the directory structure in FIPA did not exactly align with the directory structure in AD. In this post I will demonstrate how to use the ldapsearch command to search an Active Directory LDAP tree.

You can use Powershell on the AD server In order to find out the required details of the bind account.

cmd

Get-ADUser -Filter 'Name -like "some_user"' -SearchBase "DC=example,DC=com"

DistinguishedName : CN=some_user,OU=some,OU=group,DC=example,DC=com
Enabled           : True
GivenName         : Some
Name              : some_user
ObjectClass       : user
ObjectGUID        : 96f1ea93-4a9e-42a1-97b6-85f1790d2258
SamAccountName    : some_user
SID               : S-1-5-21-1263631716-347569959-4351110812-1290
Surname           : User
UserPrincipalName : some_user@example.com
            

The DistinguishedName parameter or the UserPrincipalName can be used as the bind account parameter to search LDAP.

We can now use this information to search AD/LDAP via the ldapsearch command from a linux host.

cmd

ldapsearch \
    -H ldaps://ad01.example.com -x \
    -b "OU=some,OU=group,DC=example,DC=com" \
    -D "CN=some_user,OU=some,OU=group,DC=example,DC=com" -W
            

If you are unable to import the certificates and trust the server is legitimate you can ignore self signed certs by adding the LDAPTLS_REQCERT=never parameter to the query.

cmd

LDAPTLS_REQCERT=never ldapsearch \
    -H ldaps://ad01.example.com -x \
    -b "OU=some,OU=group,DC=example,DC=com" \
    -D "some_user@example.com" -W
            

An explanation of the options used is as follows.

  • -H LDAP URI
  • -x Use simple authentication
  • -b Base DN search path
  • -D Bind DN
  • -W Ask for password

The output of the search yields a lot of useful information. For example the DN of the groups a user belongs to can be used to apply permissions.

cmd

memberOf: CN=networks,OU=some,OU=group,DC=example,DC=com
memberOf: CN=automation,OU=some,OU=group,DC=example,DC=com
            

Summary

That's it. Just a quick post with some examples on how to search an Active Directory LDAP service using the ldapsearch linux command line utility.

linux windows ldap active-directory