vi7 / ldapsearch_examples.md
In order to access AD data from Linux one should install ldapsearch utility which is a part of openldap-clients package on CentOS:
yum -y install openldap-clients
In order to query AD/LDAP data you need to have an appropriate bind account with read permissions. That might be either your own account ( ldapsearch will prompt for your AD password after issuing this command):
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \ filter [attrs. ]
or another bind account (for example the one used in the sssd.conf of your Linux servers):
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=sssd_linux,OU=Users,DC=example,DC=org' -w p4ssw0rd \ filter [attrs. ]
See below sections for more specific examples
LDAP query below will list all the AD objects with the objectClass=user , typically this means listing all the AD users. Also we are limiting the output to the name attribute only:
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \ "(objectClass=user)" name
Listing all the AD groups
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \ "(objectClass=group)" name
Getting the specific user information from the AD
Say we need AD record for the user John Doe with the domain username john.doe :
ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \ -D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \ "(sAMAccountName=john.doe)"
How to get Linux users list from LDAP
We’ve just linked one of our Linux host to LDAP and ActiveDirectory. Now I’m trying to check how I get list of users and their details from within the Linux side.
5 Answers 5
You can achieve that by either typing in
or performing a LDAP search, such as
(assuming that the bind DN and credentials are set in the ldap.conf file or you have read access to AD in other ways).
If you want to check if your Linux sees the POSIX entries from a LDAP server, use
The output should display entries both from local /etc/passwd and LDAP server. If you are wondering how to get to the point, when there’s something to check, this may prove to be a good starting point.
Use the ldapsearch command line tool to query the directory server for information. For more information, see «LDAP: Mastering ldapsearch».
Depending on how your Linux host is set up, wbinfo -u may work for you.
wbinfo — Query information from winbind daemon
.
-u|—domain-users
This option will list all users available in the Windows NT domain for which the winbindd(8) daemon is operating in. Users in all trusted domains will also be listed. Note that this operation does not assign user ids to any users that have not already been seen by winbindd(8) .
antonio@debian:~$ wbinfo -u administrator antonio guest support_388945a0 krbtgt antonio@debian:~$
List LDAP users on linux client?
I have configured an LDAP client on my Linux machine. I am able to use su — myldapuser and use it. I just want to know, can I list all my LDAP users on this machine? Referring to this link: How to get Linux users list from LDAP I tried the «getent passwd» command, but it didn’t list the users. So my question is, should this command list the users on client machine also, or will this only work on the LDAP server?
That’s a pretty uncommon abbreviation 🙂 Did you set up /etc/nsswitch.conf correctly ( users: files ldap )? And what distro are you using?
I referred this link: suresh-chandra.blogspot.in/2013/08/….. And there were no changes required in /etc/nsswitch.conf.. According to the link
1 Answer 1
You should be able to list the LDAP users using getent passwd . However, in order for the system libraries to use LDAP you need to set up /etc/nsswitch.conf and the nscd and nslcd daemons. This was discussed in chat, and the following config worked for the questioner:
uid nslcd gid ldap # This comment prevents repeated auto-migration of settings. uri ldap://ldap.dg.com base dc=dg,dc=com ssl start_tls tls_cacertdir /etc/openldap/cacerts
(Make sure your LDAP server supports anonymous binds, otherwise you’ll need to configure nslcd to use bind credentials)
passwd: files ldap shadow: files ldap group: files ldap
After a restart of the nscd and nslcd services he was able to use getent passwd to list the LDAP users
Get all Ldap User list on client with (getent passwd) command
I’m not sure I understand your question correctly, but I assume you want to let the system know the users stored in LDAP.
To achieve this you have to tell the nsswitch system how to collect user info. Edit the /etc/nsswitch.conf file from
passwd: compat group: compat shadow: compat
passwd: compat ldap group: compat ldap shadow: compat ldap
This way you tell the system to search first in the local database (e.g. the group, passwd and shadow files) then search in ldap. Of course you need properly working LDAP environment, otherwise the system can’t find the ldap data. You need the nss_ldap package to get the ldap feature for nss. If you didn’t do that already, you have to configure the LDAP system in /etc/ldap.conf or /etc/ldap/ldap.conf and/or /etc/openldap/ldap.conf according to your LDAP environment. For example:
BASE dc=somesite,dc=com URI ldap://my.ldap.server.somesite.com TIMELIMIT 10
You may prefer your centos tool system-config-authentication (Information / Enable LDAP Support) to do this.
After that you should be able to access the user ids by issuing getent passwd.
Alternatively you may want to use sssd to act as a middleman to contact ldap as documented here: https://wiki.contribs.org/Client_Authentication:Centos_via_sssd/ldap
- If you are using some name switch caching software (like sssd or nslcd) you must update that config (if needed) and restart the service.
- at a crowded site constantly querying LDAP can be overkill. You can mitigate the problem using the aforementioned caching softwares (nslcd).
- getting passwd/group info from LDAP and authentication are completely different species. If you want to authenticate against ldap you must change the PAM setting. That’s a different story.
How can I get the list of ldap users without being sudo? [duplicate]
I have non-sudo ssh access to a server of which I want to know the list of users, I think the server is using ldap because:
-bash-4.2$ cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files ldap group: files ldap shadow: files ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
-bash-4.2$ cd /etc/sssd/ -bash: cd: /etc/sssd/: No such file or directory
Please note neither of /etc/passwd , ls -lsa /var or getent passwd is giving the list I want (they don’t even include my own username) So, does anyone have any idea on how I can get the list of usernames and ids of this server?
-bash-4.2$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 7.11 (wheezy) Release: 7.11 Codename: wheezy
@StéphaneChazelas it certainly does help a lot and gives a much better result than what I had already tried but it still doesn’t include my own name but it includes some names from the users that had been created probably 18 years ago in the system:))! I didn’t actually know this system is from that long ago:)) Would you be so kind to explain to me what that command does!? what does getent passwd 5 do for example? I mean know the seq thing;)
I vote to repoen, on my suse 12.1 getent passwd will list entry from /etc/passwd, not Active directory on which can be listed by wbinfo -u
@Archemar maybe your system is using ids larger than 65535 for example my system was using 88113657 for my id
1 Answer 1
Most probably the ldap configuration doesn’t allow enumeration.
If you know the range of user ids, you could try and get a user list by querying every possible user id:
Here assuming a shell with support for the form of brace expansion (zsh, bash, ksh93, tcsh, yash -o braceexpand).
Note that on Linux, uids are no longer limited to 16 bits, and some Microsoft AD or samba based directory servers at least often use values greater than 65535. Querying would be out of the question though.
Your network admins are probably not going to like that, as it means doing a lot of LDAP queries to the directory server.
Note that since the primary key in the passwd database is the user name, not id, there may be more than one id for each user name, an getent passwd returns only one entry, so you may be missing some users.
If users are generally in at least one group beside their primary group, one way to get a list of users could be to query a list of groups with the same methods and look at their members:
getent group | cut -d: -f4 | tr , '\n' | sort -u
Here sss is not used. You’d have sss instead of ldap in the nsswitch.conf .
That would be libnss-ldap (or possibly libnss-ldapd, check with dpkg -l | grep ldap ) handling queries for ldap . Configuration is possibly in /etc/libnss-ldap.conf or /etc/ldap.conf or /etc/ldap/ldap.conf .
If you can read those, then you’d find out the server name and details of where the users are in the directory tree, and you may be able to use ldapsearch to get the relevant information (provided you’re granted access).