Active Directory tricks
19/01/09 23:04
Although most LDAP servers follow a similar pattern for access via command line (i.e. ldapsearch) or setup through a desktop browser, Active Directory tens to be a little different and can sometimes refuse to authenticate.
There’s a special technique to authenticate to AD using ldapsearch. this example shows you how you can use your domain account as a shorthand:
There’s a special technique to authenticate to AD using ldapsearch. this example shows you how you can use your domain account as a shorthand:
| ldapsearch -W -x -h ldap.yourcompany.com -b 'ou=Users,dc=yourcompany,dc=com' -D 'USERNAME@yourcompany.com' |
The LDAP protocol and utilities
06/04/07 20:34
(This article is under development)
(Keywords: LDAP, ldapsearch, ldapadd, ldapmodify, error handling, query, SQL, boolean search, X500, directoy server)
LDAP has a reputation for being confusing. One of the reasons has to do with the misuse of the word to mean a few different things. Much like "Java" has a meaning as both the language (the Java programming language) and an environment (Java runtime, J2EE), so too LDAP is sometimes talked about as the directory interface language that the name stands for (Lightweight Directory Access Protocol), but also for the associated infrastructure that naturally goes along with this (directory servers, enterprise directory, identity management).
LDAP strictly speaking is a language specification - much like SQL. In fact LDAP is to a directory what SQL is to a database. An example will highlight what we mean:
SQL:
-c select title, description from employee_table where employee_number like '123%' ;
LDAP:
ldapsearch -h localhost ''(employee=*123*)" title, description
More complex queries can be made to introduce boolean AND, OR and NOT though LDAP is far more restricted than SQL is, primarily because hierarchical directories don't have the concept of a join. LDAP - at least the search part of it - is more a filtering concept. One confusing aspect of the LDAP structure for queries is that it uses a reverse logical notation. So to query employees with 123 in them that also have titles of manager you use "((employee=*123*)(title=manager)&)" requiring the extra brackets and boolean ampersand operator following.
Also like SQL, LDAP has a protocol for storing and modifying existing entries. SQL uses CREATE and INSERT clauses; LDAP uses a structure called LDIF and an accompanying call (ldapadd/ldapmodify) to match and modify entries.
And like SQL, LDAP implementations vary significantly from vendor to vendor and although you may have the LDAP tool installed on your system, the usage can be very different depending on your variant. In fact, you may find that you have several different LDAP utilities installed on a given machine. On Linux there may be the default OpenLDAP implementation as well as a Netscape and perhaps a Novell one.
Using the unix "locate ldapsearch" or "find / -name 'ldapsearch' -print 2>/dev/null' or even trying "which ldapsearch" you should discover the number of implementations you have locally. And a good rule of thumb when stuck trying to access a remote LDAP directory server is to try different local utility versions as sometimes one will magically work where another fails.
Common problems using LDAP
1. Remote server is not accessible
Trying ping the host to see if you have a network connection to it. If not, you will need to get access first.
2. LDAP server operates on a different port
LDAP defaults to port 389 for standard access and port 636 for SSL access. However, the server administrator may change the ports. Some people refuse to allow non-SSL access and thereby remove port 389 access. In this case, try port 636.
3. LDAP server requires you specify a base container using -b 'dn=...'
4. Forgetting to put the -x "simple authentication" when using passwords
5. Confusing -h and -H
ldapsearch -h -p
versus the URL-like
ldapsearch -H 'ldap://hostname:port'
Putting -H hostname will get an error, as will -h 'ldap://hostname'
Note that LDAP error messages are invariably confusing and sometimes downright incorrect. The error message "cannot contact server" invariably means precisely the opposite! It usually means that you have been able to contact the server but have failed some prototcol handshake like TSL/SSL.
(Keywords: LDAP, ldapsearch, ldapadd, ldapmodify, error handling, query, SQL, boolean search, X500, directoy server)
LDAP has a reputation for being confusing. One of the reasons has to do with the misuse of the word to mean a few different things. Much like "Java" has a meaning as both the language (the Java programming language) and an environment (Java runtime, J2EE), so too LDAP is sometimes talked about as the directory interface language that the name stands for (Lightweight Directory Access Protocol), but also for the associated infrastructure that naturally goes along with this (directory servers, enterprise directory, identity management).
LDAP strictly speaking is a language specification - much like SQL. In fact LDAP is to a directory what SQL is to a database. An example will highlight what we mean:
SQL:
LDAP:
ldapsearch -h localhost ''(employee=*123*)" title, description
More complex queries can be made to introduce boolean AND, OR and NOT though LDAP is far more restricted than SQL is, primarily because hierarchical directories don't have the concept of a join. LDAP - at least the search part of it - is more a filtering concept. One confusing aspect of the LDAP structure for queries is that it uses a reverse logical notation. So to query employees with 123 in them that also have titles of manager you use "((employee=*123*)(title=manager)&)" requiring the extra brackets and boolean ampersand operator following.
Also like SQL, LDAP has a protocol for storing and modifying existing entries. SQL uses CREATE and INSERT clauses; LDAP uses a structure called LDIF and an accompanying call (ldapadd/ldapmodify) to match and modify entries.
And like SQL, LDAP implementations vary significantly from vendor to vendor and although you may have the LDAP tool installed on your system, the usage can be very different depending on your variant. In fact, you may find that you have several different LDAP utilities installed on a given machine. On Linux there may be the default OpenLDAP implementation as well as a Netscape and perhaps a Novell one.
Using the unix "locate ldapsearch" or "find / -name 'ldapsearch' -print 2>/dev/null' or even trying "which ldapsearch" you should discover the number of implementations you have locally. And a good rule of thumb when stuck trying to access a remote LDAP directory server is to try different local utility versions as sometimes one will magically work where another fails.
Common problems using LDAP
1. Remote server is not accessible
Trying ping the host to see if you have a network connection to it. If not, you will need to get access first.
2. LDAP server operates on a different port
LDAP defaults to port 389 for standard access and port 636 for SSL access. However, the server administrator may change the ports. Some people refuse to allow non-SSL access and thereby remove port 389 access. In this case, try port 636.
3. LDAP server requires you specify a base container using -b 'dn=...'
4. Forgetting to put the -x "simple authentication" when using passwords
5. Confusing -h and -H
ldapsearch -h
versus the URL-like
ldapsearch -H 'ldap://hostname:port'
Putting -H hostname will get an error, as will -h 'ldap://hostname'