19

How can I list the Active directory user attributes from a Linux computer? The Linux computer is already joined to the domain. I can use 'getent' to get the user and group information, but it does not display the complete active directory user attributes.

d-cubed
  • 115
  • 4
Vishnu
  • 701
  • 2
  • 8
  • 13

4 Answers4

25

You can use ldapsearch to query an AD Server. For example, the following query will displya all attributes of all the users in the domain:

ldapsearch   -x -h adserver.domain.int -D "user@domain.int" -W -b "cn=users,dc=domain,dc=int" 

Command options explained:

  • -x use simple authentication (as opposed to SASL)
  • -h your AD server
  • -D the DN to bind to the directory. In other words, the user you are authenticating with.
  • -W Prompt for the password. The password should match what is in your directory for the the binddn (-D). Mutually exclusive from -w.
  • -b The starting point for the search

More info: http://www.openldap.org/software/man.cgi?query=ldapsearch&apropos=0&sektion=0&manpath=OpenLDAP+2.0-Release&format=html

Diamond
  • 8,791
  • 3
  • 22
  • 37
4

A much simpler command is

id myuser@MYDOMAIN

For this command to work, your machine must have already joined the domain; you can verify that via

realm list
dr_
  • 1,035
  • 11
  • 19
1

Or just use the groups command:

# groups <user_ID>
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Gonzo
  • 11
  • 1
1

If the OS is integrated with Active directory, then simply running "id" command should be sufficient to list the AD groups assigned to the user.

The commands like id/gid will give results just the way they do when OS is not integrated with AD.

PFB the sample:

[oracle@wlsserver1~]$ id s_dhan
uid=1356186729(s_dhan) gid=1356000513(domain users) groups=1356000513(domain users),1356162912(linux-skl-prod-login),1356177219(linux-tom-dv-login),....
Swisstone
  • 6,357
  • 7
  • 21
  • 32
SanjayMD
  • 11
  • 1