Search Active Directory with Ldapsearch
It is fairly common to have Linux or UNIX machines on a network with a Microsoft Active Directory (AD) domain. There may be times when you want or need to search Active Directory with ldapsearch.
Quick Example
Using TLS
ldapsearch -H ldaps://dc.example.com -x -W -D "user@example.com" \ -b "dc=example,dc=com" "(sAMAccountName=user)"Without TLS
ldapsearch -H ldap://dc.example.com -x -W -D "user@example.com" \ -b "dc=example,dc=com" "(sAMAccountName=user)"If you want or need a more in depth guide, keep reading.
Configure ldap.conf
If you are ok with an unencrypted connection, skip to the next section. If possible, you must obtain the certificate authority (CA) certificate used to sign the AD server certificate. Ask your AD administrator to provide this for you in PEM format. If this isn’t possible and if you are reasonably sure your network connection isn’t compromised, you can use openssl to retrieve the server certificate from the server. The following example demonstrates how to do this.
tyler@desktop:~$ openssl s_client -connect ldap.tylersguides.com:636 -showcerts < /dev/nullCopy and paste the certificate text from the bottom certificate into a file. I use /pki/cacerts.pem. The certificate text will look something like this:
-----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF pu/xO28QOG8= -----END CERTIFICATE-----Open ldap.conf with a text editor. Here is where to find it on various operating systems:
| OS | PATH |
|---|---|
| CentOS | /etc/openldap/ldap.conf |
| Debian | /etc/ldap/ldap.conf |
| OpenSUSE | /etc/openldap/ldap.conf |
to your file. Replace /pki/cacerts.pem with the location you put the AD CA cert if you decided to put it somewhere else. Add the line
to your file as well. In the event your network is compromised, this will prevent the attacker from stealing your credentials with a man in the middle attack.
Search Active Directory with Ldapsearch
Use the following example, replacing the highlighted values to perform the search. If you opted to not use an encrypted connection, use ldap:// instead of ldaps://
ldapsearch -H ldaps://dc.example.com -x -W -D "user@example.com" \ -b "dc=example,dc=com" "(filter)" "attr1" "attr2"| Option | Explanation |
|---|---|
| -H | The URI of the directory server you are querying. |
| -x | Use simple authentication instead of SASL. |
| -W | Prompt you for your password. |
| -D | The DN of the user you are authenticating with. When querying AD, this will be your AD user name @ your domain. |
| -b | Where in the directory to start your search. If you know what OU the entries you are searching for are in, you can add it to your base. For example, if you know you want to look in an OU called stuff, your base will look like this: "ou=stuff,dc=example,dc=com". If you don't know what OU it is in, it is ok to just use your domain. E.g. "dc=tylersguides,dc=com" |
| filter | The LDAP search filter used to find entries. The simplest filter is looking for an attribute with a particular value. For example, if you are looking for an AD user with the user name bob, you would use the filter "(sAMAccountName=bob)". If you want to find everyone that is a member of the group cn=storage,ou=groups,dc=example,dc=com, you would use "(memberOf=cn=storage,ou=groups,dc=example,dc=com)" |
| attr | The attributes you wish to display. Each attribute should be separated with a space. Some common ones are mail and memberOf. |
If you are interested, I wrote a guide on LDAP search filters.
By using the information on this site, you agree to hold Tyler’s Guides harmless for any damages or loss resulting from its usage.
If you find an error in any of the guides on this site, please report it using the contact page.
As an Amazon Associate I earn from qualifying purchases.
amzn_assoc_placement = "adunit0"; amzn_assoc_tracking_id = "tylersguide0f-20"; amzn_assoc_ad_mode = "manual"; amzn_assoc_ad_type = "smart"; amzn_assoc_marketplace = "amazon"; amzn_assoc_region = "US"; amzn_assoc_linkid = "bfbedad3ad50cd62a162eab1e8eebc93"; amzn_assoc_asins = "B06W55K9N6,B078SWJ3CF,B07K1WRY8H,B01DBGVB7K"; amzn_assoc_title = ""; amzn_assoc_search_bar = "true";
How to use Active Directory to authenticate linux users
There is no reason for you to use any external software on most distributions.
For Debian/Ubuntu you can do it with libnss-ldap and libpam-krb5. There are a few tricks to get it 100%. This assumes you have "unixHomeDirectory" populated for Linux users, your Linux boxes are using NTP common with your Windows systems (required by Kerberos) and that you are OK with plain text NSS lookups (not password but group membership info etc - you can also use TLS but that's more complicated to set up). You should NOT have pam_ldap as a password or auth source in PAM unless you are set up to use TLS.
# LDAP Configuration for libnss-ldap and libpam-ldap. # Permit host to continue boot process with out contacting LDAP server bind_policy soft # Define LDAP servers to use for queries, these must be Global Catalog servers uri ldap://ldap.site.company.local # Define root search location for queries base dc=company,dc=local #debug 1 # LDAP version, almost always going to be v3, it is quite mature ldap_version 3 # Username used to proxy authentication. You can have this in a separate file owned by root for security OR use TLS/SSL (see man page) # Do NOT use LDAP for authentication if you are using plain text binds, use Kerberos instead (and LDAP for authorization only). See libpam-krb5. binddn cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local # Password for proxy acct bindpw SooperSekeretPazzwerd # TCP port to perform queries on, 3268 is a Global Catalog port which will reply for all users in *.company.local port 3268 # Search range scope (sub = all) scope sub # Tell the client to close TCP connctions after 30 seconds, Windows will do this on the server side anyways, this will prevent errors from showing up in the logs. idle_timelimit 30 # Expect queries for group membership to return DN for group members instead of usernames (lets you use MSAD group membership seamlessly) nss_schema rfc2307bis # Filters - User accounts must have a UID >= 2000 to be recognized in this configuration and must have a unixHomeDirectory defined. nss_base_group dc=company,dc=local?sub?&(objectClass=group)(gidNumber=*) nss_base_user dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*) nss_base_shadow dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*) # Object Class mappings. You may want to have the posixAccount to map to "mail" and have users login with their email addresses, i.e. "nss_map_objectclass posixAccount mail". nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group # Attribute mappings. nss_map_attribute uniqueMember member nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet # Attribute in LDAP to query to match the username used by PAM for authentication pam_login_attribute sAMAccountName # Filter for objects which are allowed to login via PAM pam_filter objectclass=User You should not need to edit /etc/krb5.conf assuming your Linux boxes are using DNS servers that know about AD (_msdcs zones with the appropriate SRV records are resolvable)
/etc/nsswitch.conf should have "files ldap" for users, groups, shadow.
[domain/AD] id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_uri = ldap://ldap.company.local:3268/ ldap_search_base = dc=company,dc=com ldap_default_bind_dn = cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local ldap_default_authtok = SooperSekeretPazzwerd ldap_schema = rfc2307bis ldap_user_object_class = user ldap_group_object_class = group ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory enumerate = true ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts ldap_id_use_start_tls = False cache_credentials = True krb5_realm = SITE.COMPANY.COM case_sensitive = false [sssd] services = nss, pam config_file_version = 2 domains = AD [nss] filter_users = root,named,avahi,nscd