LDAP Search Active Directory
Published: 31st of May 2019
Intro
I recently had to migrate authentication for a service from FIPA to Active Directory.
It was a bit of fluffing around because the directory structure in FIPA did not exactly
align with the directory structure in AD. In this post I will demonstrate how to use
the ldapsearch
command to search an Active Directory LDAP tree.
You can use Powershell on the AD server In order to find out the required details of the bind account.
Get-ADUser -Filter 'Name -like "some_user"' -SearchBase "DC=example,DC=com"
DistinguishedName : CN=some_user,OU=some,OU=group,DC=example,DC=com
Enabled : True
GivenName : Some
Name : some_user
ObjectClass : user
ObjectGUID : 96f1ea93-4a9e-42a1-97b6-85f1790d2258
SamAccountName : some_user
SID : S-1-5-21-1263631716-347569959-4351110812-1290
Surname : User
UserPrincipalName : some_user@example.com
The DistinguishedName parameter or the UserPrincipalName can be used as the bind account parameter to search LDAP.
We can now use this information to search AD/LDAP via the ldapsearch
command from a linux host.
ldapsearch \
-H ldaps://ad01.example.com -x \
-b "OU=some,OU=group,DC=example,DC=com" \
-D "CN=some_user,OU=some,OU=group,DC=example,DC=com" -W
If you are unable to import the certificates and trust the server is legitimate you can ignore self signed certs by adding the LDAPTLS_REQCERT=never parameter to the query.
LDAPTLS_REQCERT=never ldapsearch \
-H ldaps://ad01.example.com -x \
-b "OU=some,OU=group,DC=example,DC=com" \
-D "some_user@example.com" -W
An explanation of the options used is as follows.
- -H LDAP URI
- -x Use simple authentication
- -b Base DN search path
- -D Bind DN
- -W Ask for password
The output of the search yields a lot of useful information. For example the DN of the groups a user belongs to can be used to apply permissions.
memberOf: CN=networks,OU=some,OU=group,DC=example,DC=com
memberOf: CN=automation,OU=some,OU=group,DC=example,DC=com
Outro
That's it. Just a quick post with some examples on how to search an
Active Directory LDAP service using the ldapsearch
linux
command line utility.
Links
https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-aduser?view=win10-ps