vi7 / ldapsearch_examples.md
In order to access AD data from Linux one should install ldapsearch utility which is a part of openldap-clients package on CentOS:
yum -y install openldap-clients
In order to query AD/LDAP data you need to have an appropriate bind account with read permissions. That might be either your own account ( ldapsearch will prompt for your AD password after issuing this command):
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \ filter [attrs. ]
or another bind account (for example the one used in the sssd.conf of your Linux servers):
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=sssd_linux,OU=Users,DC=example,DC=org' -w p4ssw0rd \ filter [attrs. ]
See below sections for more specific examples
LDAP query below will list all the AD objects with the objectClass=user , typically this means listing all the AD users. Also we are limiting the output to the name attribute only:
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \ "(objectClass=user)" name
Listing all the AD groups
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \ "(objectClass=group)" name
Getting the specific user information from the AD
Say we need AD record for the user John Doe with the domain username john.doe :
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \ "(sAMAccountName=john.doe)"
How to get Linux users list from LDAP
We’ve just linked one of our Linux host to LDAP and ActiveDirectory. Now I’m trying to check how I get list of users and their details from within the Linux side.
5 Answers 5
You can achieve that by either typing in
or performing a LDAP search, such as
(assuming that the bind DN and credentials are set in the ldap.conf file or you have read access to AD in other ways).
If you want to check if your Linux sees the POSIX entries from a LDAP server, use
The output should display entries both from local /etc/passwd and LDAP server. If you are wondering how to get to the point, when there’s something to check, this may prove to be a good starting point.
Use the ldapsearch command line tool to query the directory server for information. For more information, see «LDAP: Mastering ldapsearch».
Depending on how your Linux host is set up, wbinfo -u may work for you.
wbinfo — Query information from winbind daemon
.
-u|—domain-users
This option will list all users available in the Windows NT domain for which the winbindd(8) daemon is operating in. Users in all trusted domains will also be listed. Note that this operation does not assign user ids to any users that have not already been seen by winbindd(8) .
antonio@debian:~$ wbinfo -u administrator antonio guest support_388945a0 krbtgt antonio@debian:~$
How can I get the list of ldap users without being sudo? [duplicate]
I have non-sudo ssh access to a server of which I want to know the list of users, I think the server is using ldap because:
-bash-4.2$ cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files ldap group: files ldap shadow: files ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
-bash-4.2$ cd /etc/sssd/ -bash: cd: /etc/sssd/: No such file or directory
Please note neither of /etc/passwd , ls -lsa /var or getent passwd is giving the list I want (they don’t even include my own username) So, does anyone have any idea on how I can get the list of usernames and ids of this server?
-bash-4.2$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 7.11 (wheezy) Release: 7.11 Codename: wheezy
@StéphaneChazelas it certainly does help a lot and gives a much better result than what I had already tried but it still doesn’t include my own name but it includes some names from the users that had been created probably 18 years ago in the system:))! I didn’t actually know this system is from that long ago:)) Would you be so kind to explain to me what that command does!? what does getent passwd 5 do for example? I mean know the seq thing;)
I vote to repoen, on my suse 12.1 getent passwd will list entry from /etc/passwd, not Active directory on which can be listed by wbinfo -u
@Archemar maybe your system is using ids larger than 65535 for example my system was using 88113657 for my id
1 Answer 1
Most probably the ldap configuration doesn’t allow enumeration.
If you know the range of user ids, you could try and get a user list by querying every possible user id:
Here assuming a shell with support for the form of brace expansion (zsh, bash, ksh93, tcsh, yash -o braceexpand).
Note that on Linux, uids are no longer limited to 16 bits, and some Microsoft AD or samba based directory servers at least often use values greater than 65535. Querying would be out of the question though.
Your network admins are probably not going to like that, as it means doing a lot of LDAP queries to the directory server.
Note that since the primary key in the passwd database is the user name, not id, there may be more than one id for each user name, an getent passwd returns only one entry, so you may be missing some users.
If users are generally in at least one group beside their primary group, one way to get a list of users could be to query a list of groups with the same methods and look at their members:
getent group | cut -d: -f4 | tr , '\n' | sort -u
Here sss is not used. You’d have sss instead of ldap in the nsswitch.conf .
That would be libnss-ldap (or possibly libnss-ldapd, check with dpkg -l | grep ldap ) handling queries for ldap . Configuration is possibly in /etc/libnss-ldap.conf or /etc/ldap.conf or /etc/ldap/ldap.conf .
If you can read those, then you’d find out the server name and details of where the users are in the directory tree, and you may be able to use ldapsearch to get the relevant information (provided you’re granted access).
Using ldapsearch to list users on Active Directory
If you are using ldaps instead of ldap and you get the following message:
ldap_initialize( ldaps://172.18.0.64:636/??base ) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
(where 172.18.0.64 is your server) – re-run the ldapserch command but add the parameter
Adding “-d 1” will output debugging info. If you get something like this
TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not valid - error -8181:Peer's Certificate has expired.. TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not valid - error -8162:The certificate issuer's certificate has expired. Check your system date and time.. TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not valid - error -8162:The certificate issuer's certificate has expired. Check your system date and time.. TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not correct because it is a CA cert and the BasicConstraint CA flag is set to FALSE - allowing for now, but please fix your certs if possible TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. TLS: error: connect - force handshake failure: errno 22 - moznss error -8172 TLS: can't connect: TLS
It dont like your certificate. To quickly work around it, edit vim /etc/openldap/ldap.conf and add the following lines:
HOST 172.18.0.64 PORT 636 TLS_REQCERT ALLOW
(replace 172.18.0.64 with your server ip or FQDN host name)
and that should get it going!