Linux: using ldapsearch to debug Active Directory

From Define Wiki
Revision as of 16:31, 12 November 2019 by Antony c (talk | contribs) (first post)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

When using SSSD to authenticate against AD with "ldap_id_mapping = False" a user must have ALL posix attributes to be able to login

when customers tell you that it is done for all users and another user works and one doesn't and you need the smoking gun . . . here is how you find it:


ldapsearch -x -W -D 'zSvcJoinDomainLinux@INT.CORP.GEL.AC' -b 'dc=corp,dc=gel,dc=ac' -H ldap://10.105.15.20 -s sub "(CN=Donald Trumper)"

this is an example from GEL (with name changed so as not to violate GDPR):

  • -D is the user to bind to LDAP as in this case the user they gave us to join nodes to this domain
  • -b is the bind dn for the domain in this case we know the user should be in the CORP.GEL.AC domain
  • -H ldap://10.105.15.20 is one of the AD servers we are joined to
  • -s sub "(CN=Donald Trumper)" is the specific user we are looking for and when we look we see that he doesn't have a gidNumber so won't be allowed in
 [root@p2postlog0002 ~]# ldapsearch -x -W -D 'zSvcJoinDomainLinux@INT.CORP.GEL.AC' -b 'dc=corp,dc=gel,dc=ac' -H ldap://10.105.15.20 -s sub "(CN=Donald Trumper)"
 Enter LDAP Password: 
 # extended LDIF
 #
 # LDAPv3
 # base <dc=corp,dc=gel,dc=ac> with scope subtree
 # filter: (CN=Donald Trumper)
 # requesting: ALL
 #
 
 # Donald Trumper, GEL, Users, GEL, corp.gel.ac
 dn: CN=Donald Trumper,OU=GEL,OU=Users,OU=GEL,DC=corp,DC=gel,DC=ac
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: user
 cn: Donald Trumper
 sn: Trumper
 title: Commercial Proposition and Product Manager
 description: Permanent
 physicalDeliveryOfficeName: Dawson Hall
 givenName: Donald
 distinguishedName: CN=Donald Trumper,OU=GEL,OU=Users,OU=GEL,DC=corp,DC=gel,DC
  =ac
 instanceType: 4
 whenCreated: 20190716101933.0Z
 whenChanged: 20191112083729.0Z
 displayName: Donald Trumper
 uSNCreated: 139477
 memberOf: CN=O365-SelfService-PasswordReset,OU=Applications,OU=Groups,OU=GEL,D
  C=corp,DC=gel,DC=ac
 uSNChanged: 829130
 department: Commercial
 proxyAddresses: SMTP:Donald.Trumper@genomicsengland.co.uk
 proxyAddresses: smtp:Donald.Trumper@genomicsenglandltd.mail.onmicrosoft.com
 proxyAddresses: x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOH
  F23SPDLT)/cn=Recipients/cn=c8aab061b3894a979b1f3f1959697821-Donald Nanki
 name: Donald Trumper
 objectGUID:: FWMDEkpkwk6jL6h4s1itQw==
 userAccountControl: 66048
 badPwdCount: 0
 codePage: 0
 countryCode: 0
 pwdLastSet: 132180206048436784
 primaryGroupID: 513
 objectSid:: AQUAAAAAAAUVAAAAz0olKw83ALo6csJV3AQAAA==
 accountExpires: 9223372036854775807
 sAMAccountName: Donald.Trumper
 sAMAccountType: 805306368
 showInAddressBook: CN=All Recipients(VLV),CN=All System Address Lists,CN=Addre
  ss Lists Container,CN=Genomics,CN=Microsoft Exchange,CN=Services,CN=Configura
  tion,DC=corp,DC=gel,DC=ac
 showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,
  CN=Address Lists Container,CN=Genomics,CN=Microsoft Exchange,CN=Services,CN=C
  onfiguration,DC=corp,DC=gel,DC=ac
 showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Containe
  r,CN=Genomics,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=g
  el,DC=ac
 legacyExchangeDN: /o=Genomics/ou=Exchange Administrative Group (FYDIBOHF23SPDL
  T)/cn=Recipients/cn=68ff8beeb37d4296a3bc8fc6cb40bb2c-Donald Trumper
 userPrincipalName: Donald.Trumper@genomicsengland.co.uk
 lockoutTime: 0
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=gel,DC=ac
 dSCorePropagationData: 20190903120415.0Z
 dSCorePropagationData: 16010101000001.0Z
 mS-DS-ConsistencyGuid:: FWMDEkpkwk6jL6h4s1itQw==
 msDS-SupportedEncryptionTypes: 0
 msDS-ExternalDirectoryObjectId: User_a15bc18c-a3cd-4c3e-8118-7ffeefb42225
 mail: Donald.Trumper@genomicsengland.co.uk
 manager: CN=Carl Smith,OU=GEL,OU=Users,OU=GEL,DC=corp,DC=gel,DC=ac
 uidNumber: 32613
 msExchVersion: 88218628259840
 msExchPoliciesIncluded: 316e658b-7875-40fb-a467-5a28d79efd21
 msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
 targetAddress: SMTP:Donald.Trumper@genomicsenglandltd.mail.onmicrosoft.com
 msExchUMDtmfMap: emailAddress:37265626548355
 msExchUMDtmfMap: lastNameFirstName:62654835537265
 msExchUMDtmfMap: firstNameLastName:37265626548355
 msExchRecipientDisplayType: -2147483642
 mailNickname: Donald.Trumper
 msExchMailboxGuid:: KwBgAAPE2UabehM5pv31gg==
 msExchBlockedSendersHash:: JCe8iw==
 msExchRemoteRecipientType: 1
 msExchRecipientTypeDetails: 2147483648
 
 # search reference
 ref: ldap://int.corp.gel.ac/DC=int,DC=corp,DC=gel,DC=ac
 
 # search reference
 ref: ldap://DomainDnsZones.corp.gel.ac/DC=DomainDnsZones,DC=corp,DC=gel,DC=ac
 
 # search reference
 ref: ldap://ForestDnsZones.corp.gel.ac/DC=ForestDnsZones,DC=corp,DC=gel,DC=ac
 
 # search reference
 ref: ldap://corp.gel.ac/CN=Configuration,DC=corp,DC=gel,DC=ac
 
 # search result
 search: 2
 result: 0 Success
 
 # numResponses: 6
 # numEntries: 1
 # numReferences: 4
 [root@p2postlog0002 ~]#
Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Linux:_using_ldapsearch_to_debug_Active_Directory&oldid=29424"