HomeActive DirectoryUsing ldapsearch to list users on Active Directory

Using ldapsearch to list users on Active Directory

Software Effect Enterprises, Inc Posted on by

List all users in all organizational units in the mydomain.org on the server dc1.mydomain.org using the username “user@mydomain.org” and the password “UserPassword”

ldapsearch -v -x -D "user@mydomian.org" -w UserPassword -b "DC=mydomain,DC=org" -H "ldap://dc1.mydomain.org" "(&(objectClass=user))"

List all disabled users in all organizational units in the mydomain.org on the server dc1.mydomain.org using the username “user@mydomain.org” and the password “UserPassword”

ldapsearch -v -x -D "user@mydomian.org" -w UserPassword -b "DC=mydomain,DC=org" -H "ldap://dc1.mydomain.org" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

List all groups in all organizational units in the mydomain.org on the server dc1.mydomain.org using the username “user@mydomain.org” and the password “UserPassword”

ldapsearch -v -x -D "user@mydomian.org" -w UserPassword -b "DC=mydomain,DC=org" -H "ldap://dc1.mydomain.org" "(&(!(objectClass=user))(!(objectClass=person))(!(objectClass=computer))(objectClass=group))"

 

Additional Notes:

If you are using ldaps instead of ldap and you get the following message:

ldap_initialize( ldaps://172.18.0.64:636/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

(where 172.18.0.64 is your server) – re-run the ldapserch command but add the parameter

-d 1

Adding “-d 1” will output debugging info. If you get something like this

TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not valid - error -8181:Peer's Certificate has expired..
TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not valid - error -8162:The certificate issuer's certificate has expired. Check your system date and time..
TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not valid - error -8162:The certificate issuer's certificate has expired. Check your system date and time..
TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not correct because it is a CA cert and the BasicConstraint CA flag is set to FALSE - allowing for now, but please fix your certs if possible
TLS: certificate [CN=DC2.office.mydomain.org,OU=Samba - temporary autogenerated certificate,O=Samba Administration] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 22 - moznss error -8172
TLS: can't connect: TLS

It dont like your certificate. To quickly work around it, edit vim /etc/openldap/ldap.conf  and add the following lines:

HOST 172.18.0.64
PORT 636
TLS_REQCERT ALLOW

(replace 172.18.0.64 with your server ip or FQDN host name)

and that should get it going!

Comments are closed.