ldapsearch of Active Directory?

Discussion:

Vsevolod (Simon) Ilyushchenko

2003-02-26 00:20:38 UTC

Hi,

I am trying to access AD using ldapsearch like this:
ldapsearch -x -h server -b "dc=our-domain,dc=com"

Instead of the expected list of all users I get a whopping 17 entries:
The first one is what I presume to be the root node, with managedBy,
masteredBy etc attributes, and the rest describe root DNS servers. And
then there is a reference to a CN=Configuration entry.

A similar search run on an Openldap server produces the complete dump.
Does anyone have an idea of how to do a similar dump of AD? Or do I have
to bind in order to do it?

Thanks,
Simon

--
Simon (Vsevolod ILyushchenko) ***@cshl.edu
http://www.simonf.com

"Large software projects are like werewolves because
they transform unexpectedly from the familiar into horrors."
Fred Brooks

Andrew Petrov

2003-02-26 00:54:18 UTC

Permalink

Hi,
I tried a similar search, but used the administrator account as bind dn.

I got a lot more data, but not all the attributes (such as passwords).

Anyone tried to use Net::LDAP for this?

Thanks,
- Andrew.

Post by Vsevolod (Simon) Ilyushchenko
Hi,
ldapsearch -x -h server -b "dc=our-domain,dc=com"
The first one is what I presume to be the root node, with managedBy,
masteredBy etc attributes, and the rest describe root DNS servers. And
then there is a reference to a CN=Configuration entry.
A similar search run on an Openldap server produces the complete dump.
Does anyone have an idea of how to do a similar dump of AD? Or do I have
to bind in order to do it?
Thanks,
Simon
--
http://www.simonf.com
"Large software projects are like werewolves because
they transform unexpectedly from the familiar into horrors."
Fred Brooks

--

***@keyspanenergy.com (718) 403-2854
"Nothing is impossible, it's just a matter of time and money."

Rich Graves

2003-02-26 01:40:21 UTC

Permalink

Post by Andrew Petrov
I got a lot more data, but not all the attributes (such as passwords).
Anyone tried to use Net::LDAP for this?

Sure, lots and lots of people. Many, many threads on the
perl-dap.sourceforge.net lists.

AD does not store userpassword (except possibly if you use AD for UNIX) but
you can set password with something like this. AD will only allow you to do
this in a 128-bit encrypted session, which requires you to install a cert
in AD (or run the "magical" and dangerous Microsoft Certificate Service).

# See http://support.microsoft.com/?kbid=269190
# $passwddn/$passwdpw: bind info for a user with password reset privilege
# Net::LDAPS requires Net::SSLeay
$winldap = Net::LDAPS->new($domain_controller);
$msg = $winldap->bind($passwddn,
timeout => 7,
password => $passwdpw,
version => 3);
$quotepw = '"'.$cleartextpassword.'"'." ";
$unicodepwd = join("\0",split (//, $quotepw));
$result= $winldap->search(base => $win::domain,
filter => "(samaccountname=$uid)");
$entry->replace( 'unicodepwd' => $unicodepw );
$msg = $entry->update($unicodedpw);

Some vaguely related refs:

http://web.brandeis.edu/pages/view/Network/ActiveDirectoryTools

Post by Andrew Petrov
ldapsearch -x -h server -b "dc=our-domain,dc=com"

AD doesn't let you look at anything but schema without authenticating.

You might also need more specific queries. I'm not sure how, but I know our
AD refuses queries that would return too many results (not even a "partial
results; too many entries" error returned like OpenLDAP does).

If you're on a RedHat 8 box or any other reasonable system with kerberos
configured to point at your AD Kerberos domain, you can bind without a
password:

kinit && ldapsearch -Y GSSAPI -H ldap://domain.controller.com/ \
-b 'ou=users,dc=controller,dc=com' 'cn=joeschmo'

--
Rich Graves <***@brandeis.edu>
UNet Systems Administrator

Florian Stahl

2003-02-26 02:16:09 UTC

Permalink

Hi list,

I sure do know this should be a question of the 20th century...

I have this old Macintosh hooked to my network with MacOS 9 to a RedHat
Linux Server running netatalk and the Appleshare Network Browser access my
LDAP directory in the default base.

Does anyone know how I can set up LDAP data structure to provide Appleshare
Information, such as shares, URI, authentication, etc?

I have found the attributes that LDAP-based eDirectory from Netware uses for
the above data, but is there a schema for MacOS 9 filesharing, and if not,
what objects / attributes do I need to have the required data available to
Mac clients?!

thank you in advance

Florian
(***@xantury.com)

Vsevolod (Simon) Ilyushchenko

2003-02-26 18:58:32 UTC

Permalink

Hi all (and privet to Andrew),

Thanks a lot for the answers!

What are the bind dn and and the administrator password called in the
Microsoft world? (That is, what are the words I have to say to the
Windows admin? :)

I have tried using the "managedBy" DN from the root node as the bind DN.
(It was our Windows admin's account.) I got this:

---cut here
version: 2

#
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0

# numResponses: 1
---cut here

This is not a simple "invalid password" error, as I tried a bad password
and got a different "Invalid credentials" error.

Thanks,
Simon

Post by Andrew Petrov
Hi,
I tried a similar search, but used the administrator account as bind dn.
I got a lot more data, but not all the attributes (such as passwords).
Anyone tried to use Net::LDAP for this?
Thanks,
- Andrew.

--
"Nothing is impossible, it's just a matter of time and money."

--
Simon (Vsevolod ILyushchenko) ***@cshl.edu
http://www.simonf.com

"Large software projects are like werewolves because
they transform unexpectedly from the familiar into horrors."
Fred Brooks

Andrew Petrov

2003-02-26 20:05:41 UTC

Permalink

Post by Vsevolod (Simon) Ilyushchenko
Hi all (and privet to Andrew),
Thanks a lot for the answers!
What are the bind dn and and the administrator password called in the
Microsoft world? (That is, what are the words I have to say to the
Windows admin? :)

It depends. Is it a test AD environment or a production one? I don't think
your
M$ admin would be too happy to give you the admin password for your production
domain.
If it's a test, then the admin dn is usually CN=Administrator,CN=Users,DC=<your
domain>,DC=com

Also, try using MMC and explore your tree. At this point my frustration with AD
involves its user naming scheme. It insists on the CN attribute as a user RDN,
but
I don't think this would work well in an enterprise environment with hundreds of
users
with identical names.

How are other people coping with that?

Thanks,
- Andrew.

Post by Vsevolod (Simon) Ilyushchenko
I have tried using the "managedBy" DN from the root node as the bind DN.
---cut here
version: 2
#
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
# numResponses: 1
---cut here
This is not a simple "invalid password" error, as I tried a bad password
and got a different "Invalid credentials" error.
Thanks,
Simon

--
"Nothing is impossible, it's just a matter of time and money."

--
http://www.simonf.com
"Large software projects are like werewolves because
they transform unexpectedly from the familiar into horrors."
Fred Brooks

--

***@keyspanenergy.com (718) 403-2854
"Nothing is impossible, it's just a matter of time and money."

Don Hayward

2003-05-27 14:32:18 UTC

Permalink

My apologies for being off topic, but the probelm relates in a general
way to LDAP and perhaps the people here either have an LDAP solution
or know of other ways to accomplish this.

I have a colleague who has been using the Roaming Access facility in
Netscape 4.xx for several years. He has developed an extensive
addressbook with several lists to which he regularly makes changes.
He needs to migrate to a newer browser/mail-reader for several
reasons, the most pressing being that lately, whenever he tries to
change the addressbook, Netscape 4.xx crashes. But he definitely needs
location independence, that is, to have his lists available to him from
several locations.

Can I help him with an LDAP setup? Would he need his own LDAP
database (backend) so that he could modify the directory himself? I'm
currently running a laboratory wide LDAP server for some
authentication and other directory services.

I appreciate any pointers. Thanks.

Don Hayward ***@mote.org
Mote Marine Laboratory Office: 941.388.4441 Cell: 941.302.4982
1600 Ken Thompson Parkway Fax: 941.388.4312
Sarasota, FL 34236 See: http://www.mote.org
Independent, non-profit, marine and estuarine research and education facility.
For PGP public key do: http://www.mote.org/~don/donpgp.asc
use "DISCLAIMER"; # We run Debian Linux
Taxes feed the starving and clothe the naked.

Kurt D. Zeilenga

2003-02-26 23:38:27 UTC

Permalink

What are the bind dn and and the administrator password called in the Microsoft world? (That is, what are the words I have to say to the Windows admin? :)

I suggest you ask such questions in a forum specific to the
Microsoft products you are trying to use. Thanks, Kurt

Shane Stakem

2003-02-26 01:27:49 UTC

Permalink

I have migrated our dev environment to support ldapseraches and have had
a great success with it. I used a sloppy but stable tool on out AD
servers called AD4Unix http://www.css-solutions.ca/ad4unix/ this allows
Linux/Unix to interoperate with Win2K Server. The ldapsearch doesn't
really work until you allow anonymous searches. If I remember correctly
there is a Q article on the matter.

Cheers,

Shane

-----Original Message-----
From: Andrew Petrov [mailto:***@keyspanenergy.com]
Sent: Tuesday, February 25, 2003 4:54 PM
To: Vsevolod (Simon) Ilyushchenko
Cc: openldap-***@OpenLDAP.org
Subject: Re: ldapsearch of Active Directory?

Hi,
I tried a similar search, but used the administrator account as bind
dn.

I got a lot more data, but not all the attributes (such as passwords).

Anyone tried to use Net::LDAP for this?

Thanks,
- Andrew.

Hi,
I am trying to access AD using ldapsearch like this: ldapsearch -x -h
server -b "dc=our-domain,dc=com"
The first one is what I presume to be the root node, with managedBy,
masteredBy etc attributes, and the rest describe root DNS servers. And
then there is a reference to a CN=Configuration entry.
A similar search run on an Openldap server produces the complete dump.
Does anyone have an idea of how to do a similar dump of AD? Or do I
have to bind in order to do it?
Thanks,
Simon
--
http://www.simonf.com
"Large software projects are like werewolves because
they transform unexpectedly from the familiar into horrors."
Fred Brooks

--

***@keyspanenergy.com (718) 403-2854
"Nothing is impossible, it's just a matter of time and money."

Beast

2003-02-26 15:39:31 UTC

Permalink

Hello,

use ldap administrator/browser. it will save much of your time.

http://www.ldapadministrator.com/main/index.php