LDAP and Microsoft's MAD

In order to test using OpenLDAP with Microsoft's Active Directory (since MS insist on using Microsoft in every product name acronym, I will too, hence MAD=Microsoft Active Directory), I built a test server with win2k3 in it's own subdomain, ads.mydomain.pri. The server is authoritative for this subdomain.

One of the first uses for this was developing a script to extract SIP: attributes from the DN: of all the users in my OU.

Configuring Pidgin to access Lync.

LDAP - playing with Microsoft AD (MAD)

DNS domain is.ad.company.com

Forest Domain is ad.company.com

Finding out LDAP servers from DNS

Lookup SRV record for _ldap._tcp.<dnsdomain>, find Global Catalogue with _gc._tcp.<forestdomain>

[user ]$ nslookup
> set type=SRV

> _ldap._tcp.is.ad.company.com
;; Truncated, retrying in TCP mode.

_ldap._tcp.is.ad.company.com        service = 0 100 389 amsisdc01.is.ad.company.com.
_ldap._tcp.is.ad.company.com        service = 0 100 389 manisdc01.is.ad.company.com.
_ldap._tcp.is.ad.company.com        service = 0 100 389 bhxisdc01.is.ad.company.com.

Find out Global Catalogue

[user]$ nslookup
> set type=SRV

> _gc._tcp.ad.company.com
;; Truncated, retrying in TCP mode.

Non-authoritative answer:
_gc._tcp.ad.company.com     service = 0 100 3268 amsp-dci01.is.ad.company.com.
_gc._tcp.ad.company.com     service = 0 100 3268 jnbisdc01.is.ad.company.com.

Authoritative answers can be found from:
amsp-dci01.is.ad.company.com        internet address =
jnbisdc01.is.ad.company.com internet address =

Search for User attributes

Windows lusers have ldp.exe as a search tool. You can use this to find your LDAP DistinguishedName (DN) from MAD, it seems that your samAccountName is your windows login name. Of course if your name is already sam…. This DN can then be used in ldapsearch below.

Using ldp to find DN from samAccountName

ldapsearch -x -LLL -E pr=200/noprompt -h testad.example.com -D "myuser@testdomain.example.com" -w 123456 // 
-b "cn=users,dc=testdomain,dc=example,dc=com" -s sub "(cn=*)" cn mail sn
ldapsearch -x -W -D  'cn=Manager,dc=int, dc=company, dc=com' -b "" -s base -h inet03

-x Simple Auth, not SASL
-W Prompt for simple Auth, not on command line
-w <password> on command line
-D Distinguished name to bind with
-b search Base
-s Scope of search, base, onelevel or subtree.
-h Host to search on
-H LDAP URI format for host, ldap://hostname.domain.com
-S attr, sort the results by attribute 'attr' (see below)
-L Search results are in LDIF v1 format, -LL disables comments, -LLL disables LDIF version printing.
-E - not sure...

This search string works:-

[user ~]$ ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "cn=<yourDN>,OU=BHX,OU=Users,OU=_Global,DC=is,DC=ad,DC=company,DC=com" //
-W -b CN=<yourDN>,OU=BHX,OU=Users,OU=_Global,dc=is,dc=ad,dc=company,dc=com -s sub 

You can also use your login name with the AD domain name to do the bind with, this will work if you don't know your full LDAP DN:-

ldapsearch -x -h amsisdc01.is.ad.company.com -b 'DC=is,DC=ad,DC=company,DC=com' -s base -D 'maduser@is.ad.company.com' -W

This returns a ton of information, this just a portion.

# name.user, BHX, Users, _Global, is.ad.company.com
dn: CN=name.user,OU=BHX,OU=Users,OU=_Global,DC=is,DC=ad,DC=company,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPersons 
objectClass: user
cn: name.user
sn: name
title: Senior Unix Administrator
description: RLS - Senior Unix Administrator
physicalDeliveryOfficeName: company UK1 GB-Birmingham
telephoneNumber: +44-12-1329-xxxx
givenName: user
distinguishedName: CN=name.user,OU=BHX,OU=Users,OU=_Global,DC=is,DC=ad,DC=company,DC=com

Find out DC given MAD login name, AD domain and LDAP server

ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "loginname@is.ad.company.com" -W -b "dc=is,dc=ad,dc=company,dc=com" -s sub  "(sAMAccountName=*loginnname*)" dn | grep dn:
Enter LDAP Password: 
dn: CN=name.user,OU=BHX,OU=Users,OU=_Global,DC=is,DC=ad,DC=company,DC=com

Find users with “surname” as part of DN:-

ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "loginname@is.ad.company.com" -W -b "dc=is,dc=ad,dc=company,dc=com" -s sub  "(CN=*surname*)" dn
# surname.Andrew, BHX, Users, _Global, is.ad.company.com
dn: CN=surname.Andrew,OU=BHX,OU=Users,OU=_Global,DC=is,DC=ad,DC=company,DC=com

# surname.Sean, SEA, Users, _Global, is.ad.company.com
dn: CN=surname.Sean,OU=SEA,OU=Users,OU=_Global,DC=is,DC=ad,DC=company,DC=com

Doing a search on -b OU=BHX and below looking for attribute proxyAddresses and grepping for sip is a way to find the correct format for your buddy list in Pidgin.

[user ~]$ ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "cn=<yourDN>,OU=BHX,OU=Users,OU=_Global,DC=is,DC=ad,DC=company,DC=com" //
-W -b OU=BHX,OU=Users,OU=_Global,dc=is,dc=ad,dc=company,dc=com -s sub proxyAddresses | grep sip
Enter LDAP Password: 
proxyAddresses: sip:user1@company.com
proxyAddresses: sip:user2@company.com
proxyAddresses: sip:user3@company.com
proxyAddresses: sip:user4@company.com

Script to get SIP: addreses from LDAP

  [user scripts]$ cat getsipforpidgin.sh
  #gets ldap server from dns, uses ldapsearch to find sip:user@domain for pidgin buddy list
  #turn on debug, -x starts, +x stops.
  set +x
  echo "dnsdomain is >${DOMAIN}<"
  #save IFS for later
  IFS=$'\n'      # newlines are the only separator
  #Get server names from DNS using srv records
  GLOBALCATALOG=( $(dig -t SRV +short _gc._tcp.ad.company.com | grep is.ad | cut -d' ' -f4) )
  #reset IFS
  echo -n "Global Catalogue servers, "
  # get length of an array
  echo "${GCLENGTH} Global catalogue servers found."
  echo " "
  # use for loop read all GC servers
  for (( gc=0; gc<${GCLENGTH}; gc++ ));
          echo "Using >${GLOBALCATALOG[$gc]}<"
          echo "==============================="
          echo ""
          ldapsearch -x -L -h ${GLOBALCATALOG[$gc]} -D "${CN}" -W -b "${SEARCHBASE=}" -s sub proxyAddresses | grep sip | cut -d: -f2- | cut -d' ' -f2- | sort
          if [ ${LDAPSEARCHRESULT} = 0 ]
  exit 0
#ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "cn=name.user,OU=BHX,OU=Users,OU=_Global,DC=is,DC=ad,DC=company,DC=com" -W -b 
#OU=BHX,OU=Users,OU=_Global,dc=is,dc=ad,dc=company,dc=com -s sub proxyAddresses | grep sip | cut -d: -f2- | cut -d' ' -f2- | sort

[user scripts]$ 

Output is:-

[user scripts]$ ./getsipforpidgin.sh
dnsdomain is >is.ad.company.com<
Global Catalogue servers, 16 Global catalogue servers found.
Using >lasisdc02.is.ad.company.com.<

Enter LDAP Password: 

rb/ldapandmad.txt · Last modified: 10/07/2019 15:39 by andrew