1 |
Pandu Poluan <pandu@××××××.info> 2011-06-29 09:00: |
2 |
> -original message- |
3 |
> Subject: Re: [gentoo-server] Extract usernames from Active Directory |
4 |
> From: mRyOuNg <mryoung@×××××××××.net> |
5 |
> Date: 2011-06-29 04:44 |
6 |
> |
7 |
>> What about an easy ldap request selecting only samaccountname? |
8 |
> |
9 |
> Yup, that's the plan. How do I do that? |
10 |
|
11 |
ldapsearch -h your-ad-dc.your.domain -b |
12 |
|
13 |
Something like this: |
14 |
# ldapsearch -Z -W -x -H ldap://your-ad-dc.your.domain -b ou=Users,dc=your,dc=domain -D cn=$USER,ou=Users,dc=your,dc=domain cn=$USER samaccountname |
15 |
|
16 |
pipe through some grep | sed to get just the user names. |
17 |
|
18 |
The catch is that by default AD won't allow anonymous binds, so you need |
19 |
to authenticate to the server to perform the ldapsearch (-D, -W). To do |
20 |
that you usually need to use a secure connection (-Z). Obviously for |
21 |
automated things you should use a service account. -b tells your search |
22 |
where to start looking. cn=$USER is what to look for (called the search |
23 |
filter). samaccountname is what to return (just a list of attribute |
24 |
names, or nothing to return them all). |
25 |
|
26 |
I don't recall what it's called exactly atm as I try not to touch |
27 |
Windows anymore, but if you dig through mmc on a server machine you |
28 |
should be able to find something called adsiedit, or some such, that |
29 |
will allow you to browse the actual ldap schema and tree. That'll help |
30 |
inform you what the parameters for each of the above settings should |
31 |
actually be in your case. |
32 |
|
33 |
This is just a simple example. You can get really fancy with ldap |
34 |
search filters or hooking all your stuff up to it through pam for local |
35 |
auth. I'd suggest you use a recent windows server version for that as |
36 |
the schema bits necessary to serve unix details seem to be a little bit |
37 |
more sane these days. |
38 |
|
39 |
Hope that helps, |
40 |
Brian |