Articles‎ > ‎

Searching Active Directory with ldapsearch

posted Dec 19, 2008, 3:53 PM by Philip Rinehart   [ updated Dec 19, 2008, 3:53 PM by Greg Neagle ]
Written by Philip Rinehart   
Friday, 30 March 2007
ldapsearch is one of the standard tools included with OpenLDAP to query LDAP directories.  Because Active Directory is ldap compliant, it can be queried as well!

First, a command.  Fear not, it will be broken down into it's components

ldapsearch -Hldap://dc.domain.com -tt -x -D "
 activedirectoryuser@dc.domain.com" -b "dc=domain,dc=com" -W -L "cn=computerobject"
Now to break it down:
  • -H
    This is the fully qualified name of a domain controller, with the ldap:// URL preceding it. Note that it is not using SSL
  • -tt
    This option is not exposed in the manual page. It will write all values to a temporary directory. On OS X, it writes to /private/var/tmp
  • -x
    Simple authentication.  It is not using SSL or any form of encryption to communicate the username and password
  • -D
    The account which should be used to bind.  Because this query is being directed against Active Directory, the short form can be used of activedirectoryuser@dc.domain.com.
  • -b
    The base search path.  Usually, the base search path is the top level domain being queried, i.e. dc=domain,dc=com, if your Active Directory domain is domain.com
  • -W
    This prompts for the password, so that it does not need to be entered with the command.
  • -L
    Responses are printed in LDIFv1 format.

The last item in the command is the item that is being queried for.  In this case, a computer object is being queried. 
So what is returned? 
Issuing the above command, against my Active Directory returns the following files in

/private/var/tmp
 ldapsearch-accountExpires-PDPCpl
ldapsearch-cn-46Yy3S
ldapsearch-codePage-ODKjW3
ldapsearch-countryCode-hih3me
ldapsearch-dNSHostName-952oIo
ldapsearch-distinguishedName-H7sYOp
ldapsearch-instanceType-cglAZL
ldapsearch-isCriticalSystemObject-VbMFWd
ldapsearch-lastLogon-Dq6zaa
ldapsearch-lastLogonTimestamp-ae8MaO
ldapsearch-localPolicyFlags-Etb2OE
ldapsearch-logonCount-04FyCO
ldapsearch-name-9SQxbO
ldapsearch-networkAddress-ldqR6a
ldapsearch-networkAddress-oQ4ybW
ldapsearch-networkAddress-zLYJHf
ldapsearch-objectCategory-qWm44E
ldapsearch-objectClass-JiCl60
ldapsearch-objectClass-frKCYn
ldapsearch-objectClass-gaiiFJ
ldapsearch-objectClass-mEPcTr
ldapsearch-objectClass-rF3oOf
ldapsearch-objectGUID-tXMowR
ldapsearch-objectSid-pm7I0Z
ldapsearch-operatingSystem-123h2m
ldapsearch-operatingSystemVersion-qyJc4a
ldapsearch-primaryGroupID-xymqVC
ldapsearch-pwdLastSet-yYSlNg
ldapsearch-sAMAccountName-8b1n3H
ldapsearch-sAMAccountType-0Hyv7C
ldapsearch-uSNChanged-FARrn6
ldapsearch-uSNCreated-PVdEuR
ldapsearch-userAccountControl-aDicoQ
ldapsearch-whenChanged-gf6vJh
ldapsearch-whenCreated-xj8Jv7

Any of the files can be parsed, returning useful information about the object in question.   
What if querying AD using plaintext isn't what you would like? There are other options! 

-Q

This option can be added, and it will use SASL quiet mode.  Usually, when using this option, it is best to get a kerberos ticket from Active Directory with kinit.  Here's the general workflow: 
kinit 
 activedirectoryusername@domain.com

ldapsearch -Hldap://domaincontroller.domain.com -b "dc=domain,dc=com" -Q -L cn=computerobjectname 

A couple of notes about this command.  Note the -Q option, so no password is required.  This command will also return the results of the query back at the command line, without storing the information. 
One last command, typically, when joining a machine to Active Directory, retrieving the correct OU path used when joining any machine is the most difficult part of joining a machine.  Here's  a one liner that will extract the complete OU path of any computer object in AD:

 

ldapsearch -Hldap://domaincontroller.comain.com -b "dc=domain,dc=com" -Q -LLL cn=computerobjectname dn | sed 's/dn: //; N; s/\n //' 

This command when sent through sed, returns a nicely formatted piece of text, including the computerobjectname.

Comments