Last active
October 4, 2023 18:24
-
-
Save jrwarwick/656d07224e8aeae09c66be22575f782b to your computer and use it in GitHub Desktop.
Simple generic LDAP access (to ActiveDirectory) from Linux CLI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #When modern AD is your LDAP, and Linux (RHEL-ish) is your server, but not joined to domain, per se. | |
| #yum install yum install openldap-clients | |
| cp -p /etc/openldap/ldap.conf /etc/openldap/ldap.conf.$(date +%Y%m%d) | |
| cat <<_EOF_>/etc/openldap/ldap.conf | |
| BASE OU=Sites,DC=INT,DC=FOO,DC=COM | |
| URI ldaps://int.foo.com:3269 | |
| TLS_REQCERT ALLOW | |
| _EOF_ | |
| read -p "LDAP lookups Simple Bind password:" ; echo -n $REPLY > $HOME/.config/ldap_password | |
| chmod 700 $HOME/.config/ldap_password | |
| xxd -p $HOME/.config/ldap_password | grep '0a$' && echo "Uh oh! you seem to have an embedded newline at end of file. This will probably make ldap utils choke." | |
| #IFF you are certain the password stored in .ldap_password is correct and you _still_ get: ldap_bind: Invalid credentials (49) | |
| #then you might have an embedded newline at the end of the file. | |
| #Fix that thus: | |
| # cd $HOME/.config ; cat ldap_password ; truncate -s -1 ldap_password ; echo -e "\n"; cat ldap_password ; echo -e "\n" | |
| #alias dba_email_list_ldap="ldapsearch -x -D 'CN=Generic Automation Service,OU=Service Accounts,OU=Meta,OU=Sites,DC=INT,DC=FOO,DC=COM' -LLL -y $HOME/.config/ldap_password -b 'OU=Sites,DC=INT,DC=FOO,DC=COM' -s sub -o "ldif-wrap=no" '(title=Database*)' proxyAddresses | grep proxy | sed 's/^proxy.*smtp://i' | tr '\n' ',' | sed 's/,$/\n/'" | |
| alias dba_email_list_ldap="ldapsearch -x -D '[email protected]' -LLL -y $HOME/.config/ldap_password -b 'OU=Sites,DC=INT,DC=FOO,DC=COM' -s sub -o "ldif-wrap=no" '(|(title=Database*)(title=DB *))' mail | grep 'mail:' | sed 's/mail: *//i' | tr '\n' ',' | sed 's/,$/\n/'" | |
| #This next one overlaps with nifty highjack of altsecurityidentifier for storing SSH RSA login public keys. | |
| alias ssh_public_keys_ldap="ldapsearch -x -D '[email protected]' -LLL -y $HOME/.config/ldap_password -b 'OU=Sites,DC=INT,DC=FOO,DC=COM' -s sub -o 'ldif-wrap=no' \ | |
| '(&(|(department=IT Dept)(title=Software Developer*))(altsecurityidentities=*))' altsecurityidentities samAccountName \ | |
| | awk -v OFS='|' '{split(\$0,a,\": \")} /^sAMAccountName:/{uname=a[2]} /^altSecurityIdentities/{sshrsa=a[2]; print uname,sshrsa}' " | |
| #probably want to add that alias to bashrc | |
| function group_membership_ldap () { | |
| base="OU=Sites,DC=INT,DC=FOO,DC=COM" #Conceivably, could grab this from /etc/openldap/ldab.conf | |
| binddn='CN=Generic Automation Service,OU=Service Accounts,$base' | |
| #Groups are kind of all over the place, so first we have to find the target *group* DN | |
| ldapfilter="(&(objectCategory=group)(name=$1))" | |
| gdn=$(ldapsearch -x -D "$binddn" -LLL -y $HOME/.config/ldap_password -b "$base" -s sub -o "ldif-wrap=no" "$ldapfilter" dn | sed 's/^dn: //') | |
| ldapfilter="(&(objectCategory=user)(memberOf=$gdn))" | |
| ldapsearch -x -D "$binddn" -LLL -y $HOME/.config/ldap_password -b "$base" -s sub -o "ldif-wrap=no" "$ldapfilter" sAMAccountName | egrep 'ldap_search_ext:|sAMAccountName' | sed 's/^sAMAccountName: *//i' | tr '\n' ',' | sed 's/,$/\n/' | |
| # mail,userPrincipalName,department,name | |
| # | grep sAMAccountName | sed 's/^sAMAccountName: *//i' | tr '\n' ',' | sed 's/,$/\n/'" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment