Linux ldapsearch examples for AD and LDAP

ldapsearch_examples.md

Working with AD from Linux

Prerequisites

In order to access AD data from Linux one should install ldapsearch utility which is a part of openldap-clients package on CentOS:

yum -y install openldap-clients

In order to query AD/LDAP data you need to have an appropriate bind account with read permissions. That might be either your own account (ldapsearch will prompt for your AD password after issuing this command):

ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \
-D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \
filter [attrs...]

or another bind account (for example the one used in the sssd.conf of your Linux servers):

ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \
-D 'CN=sssd_linux,OU=Users,DC=example,DC=org' -w p4ssw0rd \
filter [attrs...]

See below sections for more specific examples

Querying AD/LDAP

Listing all the AD users

LDAP query below will list all the AD objects with the objectClass=user, typically this means listing all the AD users. Also we are limiting the output to the name attribute only:

ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \
-D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \
"(objectClass=user)" name

Listing all the AD groups

ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \
-D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \
"(objectClass=group)" name

Getting the specific user information from the AD

Say we need AD record for the user John Doe with the domain username john.doe:

ldapsearch -LLL -H ldap://ldap.example.org -b "DC=example,DC=org" \
-D 'CN=YOUR_NAME YOUR_SURNAME,OU=Users,DC=example,DC=org' -W \
"(sAMAccountName=john.doe)"