Professional Documents
Culture Documents
Tecnologia de Ponta
KaBuM! Abrir
It is fairly common to have Linux or UNIX machines on a network with a Microsoft Active Directory (AD) domain.
There may be times when you want or need to search Active Directory with ldapsearch.
Quick Example
Using TLS
Without TLS
Configure ldap.conf
If you are ok with an unencrypted connection, skip to the next section. If possible, you must obtain the certificate
authority (CA) certificate used to sign the AD server certificate. Ask your AD administrator to provide this for you in
This website uses cookies. You can opt-out if you wish. Accept Reject Read More
PEM format. If this isn’t possible and if you are reasonably sure your network connection isn’t compromised, you
can use openssl to retrieve the server certificate from the server. The following example demonstrates how to do
this.
Copy and paste the certificate text from the bottom certificate into a file. I use /pki/cacerts.pem. The certificate
text will look something like this:
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
pu/xO28QOG8=
-----END CERTIFICATE-----
Open ldap.conf with a text editor. Here is where to find it on various operating systems:
OS PATH
CentOS /etc/openldap/ldap.conf
Debian /etc/ldap/ldap.conf
OpenSUSE /etc/openldap/ldap.conf
TLS_CACERT /pki/cacerts.pem
to your file. Replace /pki/cacerts.pem with the location you put the AD CA cert if you decided to put it
somewhere else. Add the line
TLS_REQCERT demand
to your file as well. In the event your network is compromised, this will prevent the attacker from stealing your
credentials with a man in the middle attack.
This website uses cookies. You can opt-out if you wish. Accept Reject Read More
Search Active Directory with Ldapsearch
Use the following example, replacing the highlighted values to perform the search. If you opted to not use an
encrypted connection, use ldap:// instead of ldaps://
OPTION EXPLANATION
-D The DN of the user you are authenticating with. When querying AD, this will be your AD user name @ your domain.
-b Where in the directory to start your search. If you know what OU the entries you are searching for are in, you can add it
to your base. For example, if you know you want to look in an OU called stuff, your base will look like this:
"ou=stuff,dc=example,dc=com". If you don't know what OU it is in, it is ok to just use your domain. E.g.
"dc=tylersguides,dc=com"
filter The LDAP search filter used to find entries. The simplest filter is looking for an attribute with a particular value. For
example, if you are looking for an AD user with the user name bob, you would use the filter "(sAMAccountName=bob)".
If you want to find everyone that is a member of the group cn=storage,ou=groups,dc=example,dc=com, you would use
"(memberOf=cn=storage,ou=groups,dc=example,dc=com)"
attr The attributes you wish to display. Each attribute should be separated with a space. Some common ones are mail and
memberOf.
This website uses cookies. You can opt-out if you wish. Accept Reject Read More