| 1 |
Pandu Poluan <pandu@××××××.info> 2011-06-29 09:00: |
| 2 |
> -original message- |
| 3 |
> Subject: Re: [gentoo-server] Extract usernames from Active Directory |
| 4 |
> From: mRyOuNg <mryoung@×××××××××.net> |
| 5 |
> Date: 2011-06-29 04:44 |
| 6 |
> |
| 7 |
>> What about an easy ldap request selecting only samaccountname? |
| 8 |
> |
| 9 |
> Yup, that's the plan. How do I do that? |
| 10 |
|
| 11 |
ldapsearch -h your-ad-dc.your.domain -b |
| 12 |
|
| 13 |
Something like this: |
| 14 |
# ldapsearch -Z -W -x -H ldap://your-ad-dc.your.domain -b ou=Users,dc=your,dc=domain -D cn=$USER,ou=Users,dc=your,dc=domain cn=$USER samaccountname |
| 15 |
|
| 16 |
pipe through some grep | sed to get just the user names. |
| 17 |
|
| 18 |
The catch is that by default AD won't allow anonymous binds, so you need |
| 19 |
to authenticate to the server to perform the ldapsearch (-D, -W). To do |
| 20 |
that you usually need to use a secure connection (-Z). Obviously for |
| 21 |
automated things you should use a service account. -b tells your search |
| 22 |
where to start looking. cn=$USER is what to look for (called the search |
| 23 |
filter). samaccountname is what to return (just a list of attribute |
| 24 |
names, or nothing to return them all). |
| 25 |
|
| 26 |
I don't recall what it's called exactly atm as I try not to touch |
| 27 |
Windows anymore, but if you dig through mmc on a server machine you |
| 28 |
should be able to find something called adsiedit, or some such, that |
| 29 |
will allow you to browse the actual ldap schema and tree. That'll help |
| 30 |
inform you what the parameters for each of the above settings should |
| 31 |
actually be in your case. |
| 32 |
|
| 33 |
This is just a simple example. You can get really fancy with ldap |
| 34 |
search filters or hooking all your stuff up to it through pam for local |
| 35 |
auth. I'd suggest you use a recent windows server version for that as |
| 36 |
the schema bits necessary to serve unix details seem to be a little bit |
| 37 |
more sane these days. |
| 38 |
|
| 39 |
Hope that helps, |
| 40 |
Brian |
Archives