Pandu Poluan <pa...@poluan.info> 2011-06-29 09:00:
-original message- Subject: Re: [gentoo-server] Extract usernames from Active Directory From: mRyOuNg <mryo...@soundbomb.net> Date: 2011-06-29 04:44What about an easy ldap request selecting only samaccountname?Yup, that's the plan. How do I do that?
ldapsearch -h your-ad-dc.your.domain -b
Something like this: # ldapsearch -Z -W -x -H ldap://your-ad-dc.your.domain -b ou=Users,dc=your,dc=domain -D cn=$USER,ou=Users,dc=your,dc=domain cn=$USER samaccountname pipe through some grep | sed to get just the user names.The catch is that by default AD won't allow anonymous binds, so you need to authenticate to the server to perform the ldapsearch (-D, -W). To do that you usually need to use a secure connection (-Z). Obviously for automated things you should use a service account. -b tells your search where to start looking. cn=$USER is what to look for (called the search filter). samaccountname is what to return (just a list of attribute names, or nothing to return them all). I don't recall what it's called exactly atm as I try not to touch Windows anymore, but if you dig through mmc on a server machine you should be able to find something called adsiedit, or some such, that will allow you to browse the actual ldap schema and tree. That'll help inform you what the parameters for each of the above settings should actually be in your case.
This is just a simple example. You can get really fancy with ldap search filters or hooking all your stuff up to it through pam for local auth. I'd suggest you use a recent windows server version for that as the schema bits necessary to serve unix details seem to be a little bit more sane these days.
Hope that helps, Brian
signature.asc
Description: Digital signature
