published: 31st of May 2019
I recently had to migrate authentication for a service from FIPA to Active Directory. It was a bit of fluffing around because the directory structure in FIPA did not exactly align with the directory structure in AD. In this post I will demonstrate how to use the ldapsearch command to search an Active Directory LDAP tree.
You can use Powershell on the AD server In order to find out the required details of the bind account.
Get-ADUser -Filter 'Name -like "some_user"' -SearchBase "DC=example,DC=com" DistinguishedName : CN=some_user,OU=some,OU=group,DC=example,DC=com Enabled : True GivenName : Some Name : some_user ObjectClass : user ObjectGUID : 96f1ea93-4a9e-42a1-97b6-85f1790d2258 SamAccountName : some_user SID : S-1-5-21-1263631716-347569959-4351110812-1290 Surname : User UserPrincipalName : firstname.lastname@example.org
The DistinguishedName parameter or the UserPrincipalName can be used as the bind account parameter to search LDAP.
We can now use this information to search AD/LDAP via the ldapsearch command from a linux host.
ldapsearch \ -H ldaps://ad01.example.com -x \ -b "OU=some,OU=group,DC=example,DC=com" \ -D "CN=some_user,OU=some,OU=group,DC=example,DC=com" -W
If you are unable to import the certificates and trust the server is legitimate you can ignore self signed certs by adding the LDAPTLS_REQCERT=never parameter to the query.
LDAPTLS_REQCERT=never ldapsearch \ -H ldaps://ad01.example.com -x \ -b "OU=some,OU=group,DC=example,DC=com" \ -D "email@example.com" -W
An explanation of the options used is as follows.
The output of the search yields a lot of useful information. For example the DN of the groups a user belongs to can be used to apply permissions.
memberOf: CN=networks,OU=some,OU=group,DC=example,DC=com memberOf: CN=automation,OU=some,OU=group,DC=example,DC=com
That's it. Just a quick post with some examples on how to search an Active Directory LDAP service using the ldapsearch linux command line utility.