- How can I list the Active Directory user attributes from a linux computer?
- 4 Answers 4
- The Royal Nick Humphrey IT Blog, Global Edition
- My Music (Nickleus)
- 20120103
- how to list openldap ldap user info in a terminal or graphical browser gui program on ubuntu linux
- How can I get the list of ldap users without being sudo? [duplicate]
- 1 Answer 1
- How to get Linux users list from LDAP
- 5 Answers 5
- List LDAP users on linux client?
- 1 Answer 1
How can I list the Active Directory user attributes from a linux computer?
How can I list the Active directory user attributes from a Linux computer? The Linux computer is already joined to the domain. I can use ‘getent’ to get the user and group information, but it does not display the complete active directory user attributes.
4 Answers 4
You can use ldapsearch to query an AD Server. For example, the following query will displya all attributes of all the users in the domain:
ldapsearch -x -h adserver.domain.int -D "user@domain.int" -W -b "cn=users,dc=domain,dc=int"
Command options explained:
- -x use simple authentication (as opposed to SASL)
- -h your AD server
- -D the DN to bind to the directory. In other words, the user you are authenticating with.
- -W Prompt for the password. The password should match what is in your directory for the the binddn (-D). Mutually exclusive from -w.
- -b The starting point for the search
A much simpler command is
For this command to work, your machine must have already joined the domain; you can verify that via
If the OS is integrated with Active directory, then simply running «id» command should be sufficient to list the AD groups assigned to the user.
The commands like id/gid will give results just the way they do when OS is not integrated with AD.
[oracle@wlsserver1~]$ id s_dhan uid=1356186729(s_dhan) gid=1356000513(domain users) groups=1356000513(domain users),1356162912(linux-skl-prod-login),1356177219(linux-tom-dv-login).
The Royal Nick Humphrey IT Blog, Global Edition
IT, computer and programming tutorials and tips that i couldnt find anywhere else using google, from my daily work as a Senior Developer of solutions using Java and Linux.
The best place to *find* answers to programming/development questions, imo, however it’s the *worst* place to *ask* questions (if your first question/comment doesn’t get any up-rating/response, then u can’t ask anymore questions—ridiculously unrealistic), but again, a great reference for *finding* answers.
My Music (Nickleus)
20120103
how to list openldap ldap user info in a terminal or graphical browser gui program on ubuntu linux
in order to get the userPassword value you need to bind the search to an authenticated user who has access to view that info, e.g. the admin/root user, e.g. here’s how you’d do it with a simple bind authentication (instead of e.g. SASL):
ldapsearch -xLLLWD cn=adminUserName,dc=mycompany,dc=com -b ou=People,dc=mycompany,dc=com -s sub uid=userId
to see that hashed value in clear text either use luma or run a command like this:
echo OHBjcWNLNGlQaVF5 | openssl base64 -d
when i ran that it looked like i got no (zero/empty) output, but in fact the next line looked like this:
what happened was the output of openssl didnt add a new line.
you can also use perl and you wont get the new line bug:
echo OHBjcWNLNGlQaVF5 | perl -MMIME::Base64 -ne ‘print decode_base64($_) . «\n»‘
much thanks to user blingme (Buchan Milne) on the freenode #openldap irc channel for the help with figuring out how to show the user password =)
settings > edit server list
add
new server name, e.g. my local ldap
doubleclick my local ldap in the server list
click network options
hostname: myldapserver
(or use the IP address)
click authentification
remove the checkmark from anonymous bind
bind as: cn=yourAdminUserName,dc=mycompany,dc=com
password: yourAdminUserPassword
save
ok
click browser
in luma you can see the userPassword in clear text. if anyone knows how to print the userPassword in a terminal, let me know 😉
UPDATE 20120731
apache directory studio seems like a better ldap browser: http://directory.apache.org/studio/
you can install it as a plugin in eclipse:
help > eclipse marketplace > search for apache directory studio > install
and it is really easy to show the user password in plain text:
find and select the user
right click on the userPassword field > edit value > check show current password details
How can I get the list of ldap users without being sudo? [duplicate]
I have non-sudo ssh access to a server of which I want to know the list of users, I think the server is using ldap because:
-bash-4.2$ cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files ldap group: files ldap shadow: files ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
-bash-4.2$ cd /etc/sssd/ -bash: cd: /etc/sssd/: No such file or directory
Please note neither of /etc/passwd , ls -lsa /var or getent passwd is giving the list I want (they don’t even include my own username) So, does anyone have any idea on how I can get the list of usernames and ids of this server?
-bash-4.2$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 7.11 (wheezy) Release: 7.11 Codename: wheezy
@StéphaneChazelas it certainly does help a lot and gives a much better result than what I had already tried but it still doesn’t include my own name but it includes some names from the users that had been created probably 18 years ago in the system:))! I didn’t actually know this system is from that long ago:)) Would you be so kind to explain to me what that command does!? what does getent passwd 5 do for example? I mean know the seq thing;)
I vote to repoen, on my suse 12.1 getent passwd will list entry from /etc/passwd, not Active directory on which can be listed by wbinfo -u
@Archemar maybe your system is using ids larger than 65535 for example my system was using 88113657 for my id
1 Answer 1
Most probably the ldap configuration doesn’t allow enumeration.
If you know the range of user ids, you could try and get a user list by querying every possible user id:
Here assuming a shell with support for the form of brace expansion (zsh, bash, ksh93, tcsh, yash -o braceexpand).
Note that on Linux, uids are no longer limited to 16 bits, and some Microsoft AD or samba based directory servers at least often use values greater than 65535. Querying would be out of the question though.
Your network admins are probably not going to like that, as it means doing a lot of LDAP queries to the directory server.
Note that since the primary key in the passwd database is the user name, not id, there may be more than one id for each user name, an getent passwd returns only one entry, so you may be missing some users.
If users are generally in at least one group beside their primary group, one way to get a list of users could be to query a list of groups with the same methods and look at their members:
getent group | cut -d: -f4 | tr , '\n' | sort -u
Here sss is not used. You’d have sss instead of ldap in the nsswitch.conf .
That would be libnss-ldap (or possibly libnss-ldapd, check with dpkg -l | grep ldap ) handling queries for ldap . Configuration is possibly in /etc/libnss-ldap.conf or /etc/ldap.conf or /etc/ldap/ldap.conf .
If you can read those, then you’d find out the server name and details of where the users are in the directory tree, and you may be able to use ldapsearch to get the relevant information (provided you’re granted access).
How to get Linux users list from LDAP
We’ve just linked one of our Linux host to LDAP and ActiveDirectory. Now I’m trying to check how I get list of users and their details from within the Linux side.
5 Answers 5
You can achieve that by either typing in
or performing a LDAP search, such as
(assuming that the bind DN and credentials are set in the ldap.conf file or you have read access to AD in other ways).
If you want to check if your Linux sees the POSIX entries from a LDAP server, use
The output should display entries both from local /etc/passwd and LDAP server. If you are wondering how to get to the point, when there’s something to check, this may prove to be a good starting point.
Use the ldapsearch command line tool to query the directory server for information. For more information, see «LDAP: Mastering ldapsearch».
Depending on how your Linux host is set up, wbinfo -u may work for you.
wbinfo — Query information from winbind daemon
.
-u|—domain-users
This option will list all users available in the Windows NT domain for which the winbindd(8) daemon is operating in. Users in all trusted domains will also be listed. Note that this operation does not assign user ids to any users that have not already been seen by winbindd(8) .
antonio@debian:~$ wbinfo -u administrator antonio guest support_388945a0 krbtgt antonio@debian:~$
List LDAP users on linux client?
I have configured an LDAP client on my Linux machine. I am able to use su — myldapuser and use it. I just want to know, can I list all my LDAP users on this machine? Referring to this link: How to get Linux users list from LDAP I tried the «getent passwd» command, but it didn’t list the users. So my question is, should this command list the users on client machine also, or will this only work on the LDAP server?
That’s a pretty uncommon abbreviation 🙂 Did you set up /etc/nsswitch.conf correctly ( users: files ldap )? And what distro are you using?
I referred this link: suresh-chandra.blogspot.in/2013/08/….. And there were no changes required in /etc/nsswitch.conf.. According to the link
1 Answer 1
You should be able to list the LDAP users using getent passwd . However, in order for the system libraries to use LDAP you need to set up /etc/nsswitch.conf and the nscd and nslcd daemons. This was discussed in chat, and the following config worked for the questioner:
uid nslcd gid ldap # This comment prevents repeated auto-migration of settings. uri ldap://ldap.dg.com base dc=dg,dc=com ssl start_tls tls_cacertdir /etc/openldap/cacerts
(Make sure your LDAP server supports anonymous binds, otherwise you’ll need to configure nslcd to use bind credentials)
passwd: files ldap shadow: files ldap group: files ldap
After a restart of the nscd and nslcd services he was able to use getent passwd to list the LDAP users