Search Active Directory with Ldapsearch

By | 2018-07-04

It is fairly common to have Linux or UNIX machines on a network with a Microsoft Active Directory (AD) domain. There may be times when you want or need to search Active Directory with ldapsearch.

Quick Example

Using TLS

ldapsearch -H ldaps://dc.example.com -x -W -D "user@example.com" \ 
    -b "dc=example,dc=com" "(sAMAccountName=user)"

Without TLS

ldapsearch -H ldap://dc.example.com -x -W -D "user@example.com" \ 
    -b "dc=example,dc=com" "(sAMAccountName=user)"

If you want or need a more in depth guide, keep reading.

Configure ldap.conf

If you are ok with an unencrypted connection, skip to the next section. If possible, you must obtain the certificate authority (CA) certificate used to sign the AD server certificate. Ask your AD administrator to provide this for you in PEM format. If this isn’t possible and if you are reasonably sure your network connection isn’t compromised, you can use openssl to retrieve the server certificate from the server. The following example demonstrates how to do this.

tyler@desktop:~$ openssl s_client -connect ldap.tylersguides.com:636 -showcerts < /dev/null

Copy and paste the certificate text from the bottom certificate into a file. I use /pki/cacerts.pem. The certificate text will look something like this:

-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
pu/xO28QOG8=
-----END CERTIFICATE-----

Open ldap.conf with a text editor. Here is where to find it on various operating systems:

OS PATH
CentOS /etc/openldap/ldap.conf
Debian /etc/ldap/ldap.conf
OpenSUSE /etc/openldap/ldap.conf

Add the line

TLS_CACERT /pki/cacerts.pem

to your file. Replace /pki/cacerts.pem with the location you put the AD CA cert if you decided to put it somewhere else. Add the line

TLS_REQCERT demand

to your file as well. In the event your network is compromised, this will prevent the attacker from stealing your credentials with a man in the middle attack.

Search Active Directory with Ldapsearch

Use the following example, replacing the highlighted values to perform the search. If you opted to not use an encrypted connection, use ldap:// instead of ldaps://

ldapsearch -H ldaps://dc.example.com -x -W -D "user@example.com" \ 
    -b "dc=example,dc=com" "(filter)" "attr1" "attr2"
Option Explanation
-H The URI of the directory server you are querying.
-x Use simple authentication instead of SASL.
-W Prompt you for your password.
-D The DN of the user you are authenticating with. When querying AD, this will be your AD user name @ your domain.
-b Where in the directory to start your search. If you know what OU the entries you are searching for are in, you can add it to your base. For example, if you know you want to look in an OU called stuff, your base will look like this: "ou=stuff,dc=example,dc=com". If you don't know what OU it is in, it is ok to just use your domain. E.g. "dc=tylersguides,dc=com"
filter The LDAP search filter used to find entries. The simplest filter is looking for an attribute with a particular value. For example, if you are looking for an AD user with the user name bob, you would use the filter "(sAMAccountName=bob)". If you want to find everyone that is a member of the group cn=storage,ou=groups,dc=example,dc=com, you would use "(memberOf=cn=storage,ou=groups,dc=example,dc=com)"
attr The attributes you wish to display. Each attribute should be separated with a space. Some common ones are mail and memberOf.

If you are interested, I wrote a guide on LDAP search filters.