[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch of Active Directory?



On Tue, 25 Feb 2003, Andrew Petrov wrote:

> I got a lot more data, but not all the attributes (such as passwords).
> 
> Anyone tried to use Net::LDAP for this?

Sure, lots and lots of people. Many, many threads on the 
perl-dap.sourceforge.net lists.

AD does not store userpassword (except possibly if you use AD for UNIX) but 
you can set password with something like this. AD will only allow you to do 
this in a 128-bit encrypted session, which requires you to install a cert 
in AD (or run the "magical" and dangerous Microsoft Certificate Service).

# See http://support.microsoft.com/?kbid=269190
# $passwddn/$passwdpw: bind info for a user with password reset privilege
# Net::LDAPS requires Net::SSLeay
$winldap = Net::LDAPS->new($domain_controller);
$msg = $winldap->bind($passwddn,
                      timeout => 7,
                      password => $passwdpw,
                      version => 3);
$quotepw = '"'.$cleartextpassword.'"'." ";
$unicodepwd = join("\0",split (//, $quotepw));
$result= $winldap->search(base => $win::domain,
  filter => "(samaccountname=$uid)");
$entry->replace( 'unicodepwd' => $unicodepw );
$msg = $entry->update($unicodedpw);

Some vaguely related refs:

http://web.brandeis.edu/pages/view/Network/ActiveDirectoryTools

Original poster said:

> I am trying to access AD using ldapsearch like this:
> ldapsearch -x -h server -b "dc=our-domain,dc=com"

AD doesn't let you look at anything but schema without authenticating.

You might also need more specific queries. I'm not sure how, but I know our
AD refuses queries that would return too many results (not even a "partial
results; too many entries" error returned like OpenLDAP does).

If you're on a RedHat 8 box or any other reasonable system with kerberos 
configured to point at your AD Kerberos domain, you can bind without a 
password:

kinit && ldapsearch -Y GSSAPI -H ldap://domain.controller.com/ \
  -b 'ou=users,dc=controller,dc=com' 'cn=joeschmo'
-- 
Rich Graves <rcgraves@brandeis.edu>
UNet Systems Administrator