Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
rb:ldapandmad [08/07/2019 09:43]
andrew
rb:ldapandmad [10/07/2019 15:39] (current)
andrew
Line 7: Line 7:
 Configuring Pidgin to access [[rb:​configpidginforlync|Lync]]. Configuring Pidgin to access [[rb:​configpidginforlync|Lync]].
  
 +
 +====== LDAP - playing with Microsoft AD (MAD) ======
 +
 +DNS domain is.ad.company.com
 +
 +Forest Domain is ad.company.com
 +
 +
 +===== Finding out LDAP servers from DNS =====
 +
 +Lookup SRV record for _ldap._tcp.<​dnsdomain>, ​
 +find Global Catalogue with _gc._tcp.<​forestdomain>​
 +
 +
 +  [user ]$ nslookup
 +  > set type=SRV
 +  ​
 +  > _ldap._tcp.is.ad.company.com
 +  ;; Truncated, retrying in TCP mode.
 +  Server: ​        ​10.170.2.4
 +  Address: ​       10.170.2.4#​53
 +  ​
 +  _ldap._tcp.is.ad.company.com ​       service = 0 100 389 amsisdc01.is.ad.company.com.
 +  ....-edited-....
 +  _ldap._tcp.is.ad.company.com ​       service = 0 100 389 manisdc01.is.ad.company.com.
 +  _ldap._tcp.is.ad.company.com ​       service = 0 100 389 bhxisdc01.is.ad.company.com.
 +  ​
 +
 +===== Find out Global Catalogue =====
 +
 +
 +  [user]$ nslookup
 +  > set type=SRV
 +  ​
 +  > _gc._tcp.ad.company.com
 +  ;; Truncated, retrying in TCP mode.
 +  Server: ​        ​10.184.2.64
 +  Address: ​       10.184.2.64#​53
 +  ​
 +  Non-authoritative answer:
 +  _gc._tcp.ad.company.com ​    ​service = 0 100 3268 amsp-dci01.is.ad.company.com.
 +  ....-edited-....
 +  _gc._tcp.ad.company.com ​    ​service = 0 100 3268 jnbisdc01.is.ad.company.com.
 +  ​
 +  ​
 +  Authoritative answers can be found from:
 +  amsp-dci01.is.ad.company.com ​       internet address = 10.170.2.110
 +  ....-edited-....
 +  jnbisdc01.is.ad.company.com internet address = 192.168.180.7
 +  ​
 +  ​
 +
 +===== Search for User attributes =====
 +
 +Windows lusers have ldp.exe as a search tool. You can use this to find your LDAP DistinguishedName (DN) from MAD, it seems that your samAccountName is your windows login name. Of course if your name is already sam.... This DN can then be used in ldapsearch below.
 +
 +{{gy-tech:​ldaplookup-ldp.png?​300|Using ldp to find DN from samAccountName}}
 +
 +
 +  ldapsearch -x -LLL -E pr=200/​noprompt -h testad.example.com -D "​myuser@testdomain.example.com"​ -w 123456 // 
 +  -b "​cn=users,​dc=testdomain,​dc=example,​dc=com"​ -s sub "​(cn=*)"​ cn mail sn
 +
 +
 +  ldapsearch -x -W -D  '​cn=Manager,​dc=int,​ dc=company, dc=com'​ -b ""​ -s base -h inet03
 +  ​
 +  -x Simple Auth, not SASL
 +  -W Prompt for simple Auth, not on command line
 +  -w <​password>​ on command line
 +  -D Distinguished name to bind with
 +  -b search Base
 +  -s Scope of search, base, onelevel or subtree.
 +  -h Host to search on
 +  -H LDAP URI format for host, ldap://​hostname.domain.com
 +  -S attr, sort the results by attribute '​attr'​ (see below)
 +  -L Search results are in LDIF v1 format, -LL disables comments, -LLL disables LDIF version printing.
 +  -E - not sure...
 +
 +
 +This search string works:-
 +
 +  [user ~]$ ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "​cn=<​yourDN>,​OU=BHX,​OU=Users,​OU=_Global,​DC=is,​DC=ad,​DC=company,​DC=com"​ //
 +  -W -b CN=<​yourDN>,​OU=BHX,​OU=Users,​OU=_Global,​dc=is,​dc=ad,​dc=company,​dc=com -s sub 
 +
 +You can also use your login name with the AD domain name to do the bind with, this will work if you don't know your full LDAP DN:-
 +
 +  ldapsearch -x -h amsisdc01.is.ad.company.com -b '​DC=is,​DC=ad,​DC=company,​DC=com'​ -s base -D '​maduser@is.ad.company.com'​ -W
 +
 +
 +This returns a ton of information,​ this just a portion.
 +
 +  # name.user, BHX, Users, _Global, is.ad.company.com
 +  dn: CN=name.user,​OU=BHX,​OU=Users,​OU=_Global,​DC=is,​DC=ad,​DC=company,​DC=com
 +  objectClass:​ top
 +  objectClass:​ person
 +  objectClass:​ organizationalPersons ​
 +  objectClass:​ user
 +  cn: name.user
 +  sn: name
 +  title: Senior Unix Administrator
 +  description:​ RLS - Senior Unix Administrator
 +  physicalDeliveryOfficeName:​ company UK1 GB-Birmingham
 +  telephoneNumber:​ +44-12-1329-xxxx
 +  givenName: user
 +  distinguishedName:​ CN=name.user,​OU=BHX,​OU=Users,​OU=_Global,​DC=is,​DC=ad,​DC=company,​DC=com
 +  ....edited....
 +
 +Find out DC given MAD login name, AD domain and LDAP server
 +
 +  ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "​loginname@is.ad.company.com"​ -W -b "​dc=is,​dc=ad,​dc=company,​dc=com"​ -s sub  "​(sAMAccountName=*loginnname*)"​ dn | grep dn:
 +  Enter LDAP Password: ​
 +  dn: CN=name.user,​OU=BHX,​OU=Users,​OU=_Global,​DC=is,​DC=ad,​DC=company,​DC=com
 +
 +
 +
 +Find users with "​surname"​ as part of DN:-
 +
 +  ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "​loginname@is.ad.company.com"​ -W -b "​dc=is,​dc=ad,​dc=company,​dc=com"​ -s sub  "​(CN=*surname*)"​ dn
 +  ....edited....
 +  # surname.Andrew,​ BHX, Users, _Global, is.ad.company.com
 +  dn: CN=surname.Andrew,​OU=BHX,​OU=Users,​OU=_Global,​DC=is,​DC=ad,​DC=company,​DC=com
 +  ​
 +  # surname.Sean,​ SEA, Users, _Global, is.ad.company.com
 +  dn: CN=surname.Sean,​OU=SEA,​OU=Users,​OU=_Global,​DC=is,​DC=ad,​DC=company,​DC=com
 +
 +
 +
 +Example:- \\
 +Doing a search on ''​-b OU=BHX''​ and below looking for attribute ''​proxyAddresses''​ and grepping for ''​sip''​ is a way to find the correct format for your buddy list in Pidgin.
 +
 +
 +  [user ~]$ ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "​cn=<​yourDN>,​OU=BHX,​OU=Users,​OU=_Global,​DC=is,​DC=ad,​DC=company,​DC=com"​ //
 +  -W -b OU=BHX,​OU=Users,​OU=_Global,​dc=is,​dc=ad,​dc=company,​dc=com -s sub proxyAddresses | grep sip
 +  Enter LDAP Password: ​
 +  proxyAddresses:​ sip:​user1@company.com
 +  proxyAddresses:​ sip:​user2@company.com
 +  proxyAddresses:​ sip:​user3@company.com
 +  proxyAddresses:​ sip:​user4@company.com
 +  ....edited....
 +
 +
 +
 +===== Script to get SIP: addreses from LDAP =====
 +
 +<code bash>
 +  [user scripts]$ cat getsipforpidgin.sh
 +  #!/bin/bash
 +  #gets ldap server from dns, uses ldapsearch to find sip:​user@domain for pidgin buddy list
 +  ​
 +  #turn on debug, -x starts, +x stops.
 +  ​
 +  set +x
 +  ​
 +  #​DOMAIN=is.ad.company.com
 +  DOMAIN=`dnsdomainname`
 +  ​
 +  CN='​cn=name.user,​OU=BHX,​OU=Users,​OU=_Global,​DC=is,​DC=ad,​DC=company,​DC=com'​
 +  SEARCHBASE='​OU=BHX,​OU=Users,​OU=_Global,​dc=is,​dc=ad,​dc=company,​dc=com'​
 +  ​
 +  ​
 +  ​
 +  echo "​dnsdomain is >​${DOMAIN}<"​
 +  ​
 +  ​
 +  #save IFS for later
 +  OLDIFS="​$IFS"​
 +  IFS=$'​\n' ​     # newlines are the only separator
 +  ​
 +  #Get server names from DNS using srv records
 +  GLOBALCATALOG=( $(dig -t SRV +short _gc._tcp.ad.company.com | grep is.ad | cut -d' ' -f4) )
 +  ​
 +  #reset IFS
 +  IFS="​$OLDIFS"​
 +  ​
 +  ​
 +  ​
 +  echo -n "​Global Catalogue servers, "
 +  # get length of an array
 +  GCLENGTH=${#​GLOBALCATALOG[@]}
 +  ​
 +   
 +  echo "​${GCLENGTH} Global catalogue servers found."​
 +  echo " "
 +  ​
 +  ​
 +  ​
 +  ​
 +  # use for loop read all GC servers
 +  for (( gc=0; gc<​${GCLENGTH};​ gc++ ));
 +  do
 +          echo "Using >​${GLOBALCATALOG[$gc]}<"​
 +          echo "​==============================="​
 +          echo ""​
 +  ​
 +          ldapsearch -x -L -h ${GLOBALCATALOG[$gc]} -D "​${CN}"​ -W -b "​${SEARCHBASE=}"​ -s sub proxyAddresses | grep sip | cut -d: -f2- | cut -d' ' -f2- | sort
 +          LDAPSEARCHRESULT=$?​
 +  ​
 +          if [ ${LDAPSEARCHRESULT} = 0 ]
 +            then
 +            break  ​
 +          fi
 +  ​
 +  ​
 +  done
 +  ​
 +  ​
 +  ​
 +  exit 0
 +</​code>​
 +  ​
 +  #ldapsearch -x -L -h amsisdc01.is.ad.company.com -D "​cn=name.user,​OU=BHX,​OU=Users,​OU=_Global,​DC=is,​DC=ad,​DC=company,​DC=com"​ -W -b 
 +  #​OU=BHX,​OU=Users,​OU=_Global,​dc=is,​dc=ad,​dc=company,​dc=com -s sub proxyAddresses | grep sip | cut -d: -f2- | cut -d' ' -f2- | sort
 +  ​
 +  [user scripts]$ ​
 +
 +
 +Output is:-
 +
 +  [user scripts]$ ./​getsipforpidgin.sh
 +  dnsdomain is >​is.ad.company.com<​
 +  Global Catalogue servers, 16 Global catalogue servers found.
 +   
 +  Using >​lasisdc02.is.ad.company.com.<​
 +  ===============================
 +  ​
 +  Enter LDAP Password: ​
 +  sip:​user1@company.com
 +  sip:​user2@company.com
 +  sip:​user4@company.com
 +  sip:​user5@company.com
 +  sip:​user6@company.com
  

rb/ldapandmad.txt ยท Last modified: 10/07/2019 15:39 by andrew