Posts Tagged ‘AD’

How to query LDAP (Windows Domain Controller) directory entries from Linux – ldapsearch common searche examples

Tuesday, November 18th, 2014

active-directory-logo
If you have a hybrid network of Windows servers and computers in Active Directory (AD) Domain Names and Linux hosts hosting various Java / PHP / Python applications like many of the middle and big companies (organization) have, sooner or later you will have to deploy an application which uses some some user authentication from the Linux host to Windows Domain Controller, you will end up in need to be able to query the AD, which is using LDAP (Lightweight Directory Access Protocol) to store the AD user credentials and tons of other information important for proper Active Directory operations.

LDAP is a key industry standard for storing and accessing distributed directory information services over Internet Protocol (IP). LDAP is great for sharing of information about users, systems, networks, services, and applications throughout the network. The corporate world nowadays would have been impossible without LDAP.
As of time of writting latest RFC  (Resource for Comment) 4511 document describes industrial specification of LDAP version 3.0 and therefore this is the most often used and implemented version.

LDAP protocol supports generally following operations:

Adding, Delete, Bind (Authenticate to LDAP server), Delete Search and Compare, Modify and Modify DN (Distringuished Name)
Deleting recordsh

On Linux to retrieve / locate AD entries, there is ldapsearch  command which opens connection to LDAP host server port, with set username and password. ldapsearch tool makes its search based on a filter.

To have make and modify queries in LDAP from GNU / Linux you will have to have installed ldap-utils on Debian, i.e.:

apt-get –yes install ldap-utils


to have ldapseach, ldapmodify, ldapsearch ldappasswd on CentOS / Redhat Linux, you need openldap-clients.x86_64

yum -y install openldap-clients.x86_64

Returned result from ldapsearch clients will be returned in LDIF format (LDAP Data Interchange format).

ldapsearch basic format is like thsi:

ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes]

ldapsearch could query (LDAP – ADs) in unencrypted form simple LDAP, encrypted form with SSL certificate (LDAPs) or through LDAP with STARTTLS.
Logically most organizations nowadays are using LDAPs, as it offers the highest level of security. Unencrypted LDAP servers listen usually on
port 389, LDAPs communicates on port 636 once an SSL handshake is made between client and server and LDAP with STARTTLS communicates on standard port 389.

Here is 3 examples of common  ldapsearch queries

1. Return all entries in LDAP server
 

ldapsearch -D "cn=directory manager" -w secret -p 389 -h ldap.your-organization.org -b "dc=your-organization,dc=com" -s sub "(objectclass=*)"


"objectclass=*" is a serch filter matching all entries in the directory (time and size limits on output limit set for the server will take affect)

2. Searching the Root DSE Entry

root DSE is special entry containing list of all suffixes supported by local Directory Server. Getting root DSE is done with  base of "", a search scope of base, and a filter of "objectclass=*"

ldapsearch -D "cn=directory manager" -w secret_pass -p 389 -h ldaps.your-organization.org  -b "dc=your-organization,dc=com" -s sub "cn=babs jensen"

 

3. Searching Directory Server Schema Entry

LDAP server stores all directory server schema in special entry cn=schema.
schema entry contains information on every object class and attribute defined for the Directory Server. Command to searches  contents of the cn=schema entry is:
 

ldapsearch -D "cn=directory manager" -w secret_pass -p 389 -h ldaps.your-organization.org -b "cn=schema" -s base "objectclass=*"


4. Check whether cn=My-Account1 account is working and enabled

ldapsearch -H ldaps://ldaps.your-organization.org -b o=my-org,c=bg -s sub -D cn=My-Account1,ou=users,ou=ABC,o=my-org,c=ABC -W '(&(cn=My-Acount1)(objectclass=my-org-Account))'


5. check all members of cn=MY_ADMINISTRATION

 

ldapsearch -H ldaps://ldaps.your-organization.org -b o=my-org,c=bg -s sub -D cn=My-Account1,ou=users,ou=ABC,o=my-org,c=ABC -W '(&(cn=MY_ADMINISTRATION)(member=*))'

 

6. check all members of all groups belonging to user
 

ldapsearch -H ldaps://ldaps.your-organization.org -b ou=ABC,ou=ABC1,ou=ABC2,ou=groups,ou=ABC,o=my-org,c=ABC -s sub -D cn=My-Account1,ou=users,ou=ABC,o=my-org,c=ABC -W '(cn=*)'
 

Whether ldapsearch queries are to be common and scripted or just for simplification of readability of query to LDAP it is useful to use LDAP_BASEDN – a query search base. By setting search base you can further omit in query -b

export LDAP_BASEDN="dc=your-organization,dc=com"
ldapsearch -D "cn=directory manager" -w secret_pass -p 389 -h ldap.your-organization.org "cn=labs jordan"

In Linux LDAP's open-source implementation is called OpenLDAP.
On Linux LDAP protocol can be easily integrated / used in combination with FTP servers (such as proftpd), DNS servers, Mail Servers (Courier), Samba servers, Radius (IP Telephony), sudo, as well as most programming languages such as PHP, Python etc.