Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Ldapsearch notes

bgstack15

Comments

This post will be updated over time. List all members of an AD group, including following the nested group membership

ldapsearch -b 'dc=dc=example,dc=com' -s 'sub' -x -D 'CN=B Stack,OU=Domain Users,DC=example,DC=com' -W -H 'ldaps://ds5.example.com:636' '(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=complex_sample_group,OU=Linux,OU=Security Groups,DC=example,DC=com))' samaccountname | awk '/^samaccountname/{print $2;}'

AD via ldap - how can I return all ancestor groups from a query [stackoverflow.com] List all groups of an AD user, including nested groups

ldapsearch -LLL -O maxssf=0 -o ldif-wrap=300 '(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=CN=John Doe,OU=Domain Users,DC=ad,DC=example,DC=com))' dn /dev/null | sed -r -e 's/^\s*#.*//g;' -e '/^\s*$/d;'

Source: Active Directory: LDAP Syntax Filters [social.technet.microsoft.com] Multiple servers If your ldaps servers do not use correct SANs on their certs and therefore do not present a certificate that matches the name used to connect, just provide multiple URIs in ldap.conf.

URI     ldaps://ad.example.com ldaps://dc201.ad.example.com ldaps://dc202.ad.example.com ldaps://dc101.ad.example.com ldaps://dc102.ad.example.com

Use host kerberos auth and work with AD

ldapsearch -LLL -O maxssf=0 -o ldif-wrap=300 '(cn=User Name)' memberOf 2>/dev/null | sed -r -e 's/^\s*#.*//g;' -e '/^\s*$/d;'

The maxsff is needed because AD does not use a proper security setting apparently, and the ldif-wrap just fixes the output. Source: Can't query AD using kerberos from linux host [serverfault.com]

Extensible searches

ldapsearch -o ldif-wrap=800 -LLL -b "dc=ipa,dc=example,dc=com" '(&(uid=bgstack15)(cn:dn:=accounts))' dn

Only search where the DN contains a "cn=accounts". This has great potential when you want to search perhaps within multiple "OU=IT" each underneath a different parent ou or cn. How to write LDAP search filters | Atlassian Support | Atlassian Documentation How To Search LDAP using ldapsearch (With Examples) – devconnected Ldapwiki: ExtensibleMatch

Comments