LDAP search to query an ActiveDirectory server

ldapsearch -LLL -H ldap://activedirectory.example.com:389 -b 'dc=example,dc=com' -D 'DOMAIN\Joe.Bloggs' -w 'p@ssw0rd' '(sAMAccountName=joe.bloggs)'
These are the parameters to ldapsearch (from ldap-utils in Ubuntu), for searching for the record for Joe Blogg's user. sAMAccountName is the LDAP field that ActiveDirectory uses to store the user name. 'DOMAIN\Joe.Bloggs' where "DOMAIN" is the the active directory domain. Othewise you could use "CN=Joe.Bloggs,DC=example,DC=com" instead of "DOMAIN\Joe.Bloggs"
Sample Output
dn: CN=Joe.Bloggs,DC=example,DC=com

By: greppo
2009-06-11 13:07:11

What Others Think

I actually find that the following works better. I also like to run this command using ldaps instead of ldap. ldaps requires that you have a copy of your certificate authority's certificate in pem format wherever your OpenLDAP is configured to look for it. ldapsearch -LLL -H -x ldaps://activedirectory.example.com:389 -b 'dc=example,dc=com' -D 'DOMAIN\Joe.Bloggs' -w 'p@ssw0rd' '(sAMAccountName=joe.bloggs)' The -x specifies to use a simple bind, rather than SASL (which I can't get to work).
smm · 598 weeks and 6 days ago
sorry -- eliminate the port number or specify 636 as follows: ldapsearch -LLL -H -x ldaps://activedirectory.example.com -b 'dc=example,dc=com' -D 'DOMAIN\Joe.Bloggs' -w 'p@ssw0rd' '(sAMAccountName=joe.bloggs)'
smm · 598 weeks and 6 days ago
Proposed solution is insecure in several ways. Declaring password on the commandline with option -w is insecure, because any other user on the same linux machine can see the plaintext password in the list of running processes. Use interactive entering of the password where possible (for simple bind that would be -W option). For automation use kerberos ticket or password file (-y passwdfile). Using the simple bind "-x" is sending the plaintext password all the way to the server = potentionaly it can be captured on the way. Use preferably the kerberos (-Y GSSAPI) or at least the MD5 digest (-Y DIGEST-MD5). In order to make the SASL working you need to downgrade some security features which are not available in MS AD with option -Omaxssf=0 . Using LDAP protocol makes it possible for attackers to snoop on the traffic and get your password. Active Directory default policies would soon (if not already) force you(/ldap client) to STARTTLS even on the LDAP protocol ... so you probably need the SSL CA certificate anyway, so probably better to use LDAPS protocol straight away.
rebus · 57 weeks and 6 days ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: