-2

I am new to LDAP and learning about the ldapsearch and ldap in general. Would like to write a shell script that enumerate the (already existing) LDAP group "VPN Users", then get all user "samaccountname" (e.g.joe.smith). Can someone please help? I've tried to do it but seems like my ldapsearch has errors:

ldapsearch -h 127.0.0.1 -x -b (&(objectCategory=group)(cn=VPN Users))

Edit - Sorry about that. I made some progress and now at least cat get some data from the LDAP server by running something like this: 

echo -n 'password' |
ldapsearch -y pass.txt -h [IP here] -b "ou=x,dc=x,dc=x,dc=x" -x `
 -D "cn=user,ou=test,ou=x,ou=x,dc=x,dc=x,dc=xx" `
 -W "(&(objectClass=person)(objectClass=user)(sAMAccountName=*) (memberOf=cn=VPN Users,ou=test,ou=x,ou=x,dc=x,dc=x,dc=xx))" `
 -y /dev/fd/0

But I would like it to:

  • enumerate the (already existing) LDAP group "VPN Users"
  • get all user "samaccountname" (e.g. joe.smith, etc.)

Thanks

Jenny D
  • 27,358
  • 21
  • 74
  • 110
Irina I
  • 1
  • 1
  • Or this ldapsearch -h [remote IP here] -x -b "ou=test dc=unit,dc=dev,dc=net" "(&(objectCategory=group))" – Irina I May 02 '18 at 17:43
  • Please also provide the error you are encountering. – 84104 May 02 '18 at 18:00
  • Sorry about that. I made some progress and now at least cat get some data from the LDAP server by running something like this: echo -n 'password' | ldapsearch -y pass.txt -h [IP here] -b "ou=x,dc=x,dc=x,dc=x" -x -D "cn=user,ou=test,ou=x,ou=x,dc=x,dc=x,dc=xx" -W "(&(objectClass=person)(objectClass=user)(sAMAccountName=*) (memberOf=cn=VPN Users,ou=test,ou=x,ou=x,dc=x,dc=x,dc=xx))" -y /dev/fd/0 But I would like it to: # enumerate the (already existing) LDAP group "VPN Users" ## get all user "samaccountname" (e.g. joe.smith, etc.) – Irina I May 02 '18 at 19:51
  • Please edit provided information into your question. – 84104 May 02 '18 at 20:28
  • I did! Edit - Sorry about that. I made some progress and now at least cat get some data from the LDAP server by running something like this: echo -n 'password' | ldapsearch -y pass.txt -h [IP here] -b "ou=x,dc=x,dc=x,dc=x" -x -D "cn=user,ou=test,ou=x,ou=x,dc=x,dc=x,dc=xx" -W "(&(objectClass=person)(objectClass=user)(sAMAccountName=*) (memberOf=cn=VPN Users,ou=test,ou=x,ou=x,dc=x,dc=x,dc=xx))" -y /dev/fd/0 But I would like it to: # enumerate the (already existing) LDAP group "VPN Users" ## get all user "samaccountname" (e.g. joe.smith, etc.) – Irina I May 02 '18 at 20:48
  • Please refactor your question to something readable by a human. – 84104 May 02 '18 at 22:14
  • 1
    `... seems like my ldapsearch has errors:` - Including the errors would make it a lot easier to actually tell you what the problem is. The answer is often found in the error. – Zoredache May 02 '18 at 22:31

2 Answers2

0

The expression to use in your query would be something like this:

(&(objectClass=user)(memberOf="VPN Users")) attrs=sAMAccountName

Finally:

ldapsearch -y pass.txt -h [IP here] -b "ou=x,dc=x,dc=x,dc=x"
 -D "cn=user,ou=test,ou=x,ou=x,dc=x,dc=x,dc=xx" `
 -W "(&(objectClass=user)(memberOf="VPN Users")) attrs=sAMAccountName -y /dev/fd/0
Daniel PC
  • 86
  • 4
0

If you have something maintaining the memberOf attribute (e.g. slapd-memberOf):

ldapsearch -h ldap.example.com -b ou=groups,dc=example,dc=com \  
    -D  cn=user,ou=accounts,dc=example,dc=com -W  -y password.txt \
    "(&(memberOf=cn=VPN Users,ou=groups,dc=example,dc=com)(sAMAccountName=*))" \
    sAMAccountName

You can pipe the output through sed if your interested in just the values, e.g. 

| sed -n 's/^sAMAccountName: //p'

-y needs the password to be exact. Most text editors including vim will insert a trailing newline (\n). This must be removed, e.g. truncate -s -1 password.txt.

84104
  • 12,698
  • 6
  • 43
  • 75