http://wiki.define-technology.com/mediawiki-1.35.0/index.php?action=history&feed=atom&title=Linux%3A_using_ldapsearch_to_debug_Active_Directory 2026-05-04T22:47:02Z Revision history for this page on the wiki MediaWiki 1.35.0 http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Linux:_using_ldapsearch_to_debug_Active_Directory&diff=29424&oldid=prev 2019-11-12T16:31:55Z

<p>first post</p> <p><b>New page</b></p><div>When using SSSD to authenticate against AD with &quot;ldap_id_mapping = False&quot; a user must have ALL posix attributes to be able to login<br /> <br /> when customers tell you that it is done for all users and another user works and one doesn&#039;t and you need the smoking gun . . . here is how you find it:<br /> <br /> <br /> ldapsearch -x -W -D &#039;zSvcJoinDomainLinux@INT.CORP.GEL.AC&#039; -b &#039;dc=corp,dc=gel,dc=ac&#039; -H ldap://10.105.15.20 -s sub &quot;(CN=Donald Trumper)&quot;<br /> <br /> this is an example from GEL (with name changed so as not to violate GDPR):<br /> <br /> * -D is the user to bind to LDAP as in this case the user they gave us to join nodes to this domain<br /> * -b is the bind dn for the domain in this case we know the user should be in the CORP.GEL.AC domain<br /> * -H ldap://10.105.15.20 is one of the AD servers we are joined to<br /> * -s sub &quot;(CN=Donald Trumper)&quot; is the specific user we are looking for and when we look we see that he doesn&#039;t have a gidNumber so won&#039;t be allowed in<br /> <br /> [root@p2postlog0002 ~]# ldapsearch -x -W -D &#039;zSvcJoinDomainLinux@INT.CORP.GEL.AC&#039; -b &#039;dc=corp,dc=gel,dc=ac&#039; -H ldap://10.105.15.20 -s sub &quot;(CN=Donald Trumper)&quot;<br /> Enter LDAP Password: <br /> # extended LDIF<br /> #<br /> # LDAPv3<br /> # base &lt;dc=corp,dc=gel,dc=ac&gt; with scope subtree<br /> # filter: (CN=Donald Trumper)<br /> # requesting: ALL<br /> #<br /> <br /> # Donald Trumper, GEL, Users, GEL, corp.gel.ac<br /> dn: CN=Donald Trumper,OU=GEL,OU=Users,OU=GEL,DC=corp,DC=gel,DC=ac<br /> objectClass: top<br /> objectClass: person<br /> objectClass: organizationalPerson<br /> objectClass: user<br /> cn: Donald Trumper<br /> sn: Trumper<br /> title: Commercial Proposition and Product Manager<br /> description: Permanent<br /> physicalDeliveryOfficeName: Dawson Hall<br /> givenName: Donald<br /> distinguishedName: CN=Donald Trumper,OU=GEL,OU=Users,OU=GEL,DC=corp,DC=gel,DC<br /> =ac<br /> instanceType: 4<br /> whenCreated: 20190716101933.0Z<br /> whenChanged: 20191112083729.0Z<br /> displayName: Donald Trumper<br /> uSNCreated: 139477<br /> memberOf: CN=O365-SelfService-PasswordReset,OU=Applications,OU=Groups,OU=GEL,D<br /> C=corp,DC=gel,DC=ac<br /> uSNChanged: 829130<br /> department: Commercial<br /> proxyAddresses: SMTP:Donald.Trumper@genomicsengland.co.uk<br /> proxyAddresses: smtp:Donald.Trumper@genomicsenglandltd.mail.onmicrosoft.com<br /> proxyAddresses: x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOH<br /> F23SPDLT)/cn=Recipients/cn=c8aab061b3894a979b1f3f1959697821-Donald Nanki<br /> name: Donald Trumper<br /> objectGUID:: FWMDEkpkwk6jL6h4s1itQw==<br /> userAccountControl: 66048<br /> badPwdCount: 0<br /> codePage: 0<br /> countryCode: 0<br /> pwdLastSet: 132180206048436784<br /> primaryGroupID: 513<br /> objectSid:: AQUAAAAAAAUVAAAAz0olKw83ALo6csJV3AQAAA==<br /> accountExpires: 9223372036854775807<br /> sAMAccountName: Donald.Trumper<br /> sAMAccountType: 805306368<br /> showInAddressBook: CN=All Recipients(VLV),CN=All System Address Lists,CN=Addre<br /> ss Lists Container,CN=Genomics,CN=Microsoft Exchange,CN=Services,CN=Configura<br /> tion,DC=corp,DC=gel,DC=ac<br /> showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,<br /> CN=Address Lists Container,CN=Genomics,CN=Microsoft Exchange,CN=Services,CN=C<br /> onfiguration,DC=corp,DC=gel,DC=ac<br /> showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Containe<br /> r,CN=Genomics,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=g<br /> el,DC=ac<br /> legacyExchangeDN: /o=Genomics/ou=Exchange Administrative Group (FYDIBOHF23SPDL<br /> T)/cn=Recipients/cn=68ff8beeb37d4296a3bc8fc6cb40bb2c-Donald Trumper<br /> userPrincipalName: Donald.Trumper@genomicsengland.co.uk<br /> lockoutTime: 0<br /> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=gel,DC=ac<br /> dSCorePropagationData: 20190903120415.0Z<br /> dSCorePropagationData: 16010101000001.0Z<br /> mS-DS-ConsistencyGuid:: FWMDEkpkwk6jL6h4s1itQw==<br /> msDS-SupportedEncryptionTypes: 0<br /> msDS-ExternalDirectoryObjectId: User_a15bc18c-a3cd-4c3e-8118-7ffeefb42225<br /> mail: Donald.Trumper@genomicsengland.co.uk<br /> manager: CN=Carl Smith,OU=GEL,OU=Users,OU=GEL,DC=corp,DC=gel,DC=ac<br /> uidNumber: 32613<br /> msExchVersion: 88218628259840<br /> msExchPoliciesIncluded: 316e658b-7875-40fb-a467-5a28d79efd21<br /> msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}<br /> targetAddress: SMTP:Donald.Trumper@genomicsenglandltd.mail.onmicrosoft.com<br /> msExchUMDtmfMap: emailAddress:37265626548355<br /> msExchUMDtmfMap: lastNameFirstName:62654835537265<br /> msExchUMDtmfMap: firstNameLastName:37265626548355<br /> msExchRecipientDisplayType: -2147483642<br /> mailNickname: Donald.Trumper<br /> msExchMailboxGuid:: KwBgAAPE2UabehM5pv31gg==<br /> msExchBlockedSendersHash:: JCe8iw==<br /> msExchRemoteRecipientType: 1<br /> msExchRecipientTypeDetails: 2147483648<br /> <br /> # search reference<br /> ref: ldap://int.corp.gel.ac/DC=int,DC=corp,DC=gel,DC=ac<br /> <br /> # search reference<br /> ref: ldap://DomainDnsZones.corp.gel.ac/DC=DomainDnsZones,DC=corp,DC=gel,DC=ac<br /> <br /> # search reference<br /> ref: ldap://ForestDnsZones.corp.gel.ac/DC=ForestDnsZones,DC=corp,DC=gel,DC=ac<br /> <br /> # search reference<br /> ref: ldap://corp.gel.ac/CN=Configuration,DC=corp,DC=gel,DC=ac<br /> <br /> # search result<br /> search: 2<br /> result: 0 Success<br /> <br /> # numResponses: 6<br /> # numEntries: 1<br /> # numReferences: 4<br /> [root@p2postlog0002 ~]#</div>

Antony c