ldapsearch

Using ldapsearch to Query Active Directory Objects


The ldapsearch utility is one of the important tools for the administrator of the LDAP (Lightweight Directory Access Protocol) server. It allows you to get any data that is available in the LDAP directory. Currently the most common LDAP implementations are OpenLDAP and Microsoft Active Directory.

The ldapsearch utility currently is mainly used in Linux systems. The Ldapsearch.exe utility was available in Windows 2000, but in Windows Server 2003 it was superseded by the dsquery tool. However, even now you can use the Ldapsearch tool on Windows—all you need to do is download and install the OpenLDAP client for Windows (by default the ldapsearch is located in the C:\OpenLDAP\bin directory).

Consider the syntax of the ldapsearch tool:

ldapsearch [options] [filter] [attributes]
  • -n — display actions that will be performed, but not run them;
  • -v — verbose, detailed operation mode;
  • -A — display attributes only, without values;
  • -L (-LL, -LLL) — output format (-L – LDIFv1, -LL – disable comments display, -LLL — disable LDIF version display).
  • -x — use plain authentication, not SASL;
  • -D — use the username to connect to the server;
  • -w [password] — specify password in the command prompt when running LDAP query;
  • -h — LDAP server address;
  • -p — LDAP server port;
  • -b — search start directory;
  • -s[base|one|sub] — searchScope:
  • -l — timelimit at the search time;
  • -z — sizelimit on the data size in the search query result;
  • -Z — use TLS.

Let’s try to use the ldapsearch utility in Linux Debian to test connectivity to an Active Directory domain controller (target LDAP server).

AD domain settings:

  • AD domain name — theitbros.com;
  • FQDN name of the domain controller — dc1.theitbros.com;
  • The AD username that is used to connect to the LDAP: TestLDAPConnUsr and its password — P@ssw0r6;

First of all, make sure that the OpenLDAP client is installed on your system:

dpkg -l | grep ldap

Check for the LDAP account ADUser1 in the container with the DN name “OU=Users,OU=London,OU=UK,DC=theitbros,DC=com”.

An LDAP server typically accepts incoming connections on port 389 using TCP or UDP protocols. LDAP servers with SSL use port 636.

To check the LDAP connection (TCP port 389), run the command:

ldapsearch -v -x -D "TestLDAPConnUsr@theitbros.com" -w "P@ssw0r6"

-b "OU=Users,OU=London,OU=UK,DC=theitbros,DC=com" -H "ldap://dc1.theitbros.com" sAMAccountName= ADUser1

ldapsearch

In this case, the user credentials of ADUser1 are transferred over the network in a clear text form, which is not secure.

You can connect to the LDAP that use the SSL certificate over the protected LDAPS protocol (TCP port 636). To do this, create a file with root certificates of your domain CA in PEM format and Base-64 encoded (for example /etc/ssl/cert/itbroscert.pam) and specify the path to this file in the OpenLDAP client configuration file (/etc/ldap/ldap.conf or /etc/openldap/ldap.conf),

#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERT /etc/ssl/certs/itbroscert.pam

Now execute the LDAPS query:

ldapsearch -v -x -D "TestLDAPConnUsr@theitbros.com" -w "P@ssw0r6"
-b "OU=Users,OU=London,OU=UK,DC=theitbros,DC=com" -H "ldaps://dc1.theitbros.com" sAMAccountName= ADUser1

If you entered an incorrect username or password to connect to LDAP, the utility will return:

ldap_bind: Invalid credentials (49) 
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE

You can list all users in a specific LDAP directory:

ldapsearch -xLLL -D "TestLDAPConnUsr@theitbros.com" -w "P@ssw0r6" -H "ldaps://dc1.theitbros.com" -b "OU=Users,OU=London,OU=UK,DC=theitbros,DC=com"

To search by username:

ldapsearch -W -x --"TestLDAPConnUsr@theitbros.com" -b "OU=Users,OU=London,OU=UK,DC=theitbros,DC=com" "(uid=user1)"

To display all user accounts except disabled users, use the command:

ldapsearch -x -D "TestLDAPConnUsr@theitbros.com" -b "dc=example,dc=com-H "ldaps://dc1.theitbros.com" -W '(&(proxyAddresses=smtp*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'

You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...

Add Your Comment