Query LDAP Domain To Find Status On User Accounts Using Linux

danmartinj · 02-28-2022, 01:02 PM

Hello,

Been looking at some linux commands like ldapsearch to query status on domain user accounts. I am pretty sure ldapsearch supports this but I am also pretty sure you have to supply it a domain controller to query. With windows you do not have to do this:

Code:

net user USER /domain

I am just trying to figure out the most simplest and stable command to use on Linux. Does anyone have any suggestions?

Thanks,
Joe

TB0ne · 03-01-2022, 10:01 AM

Quote:

Originally Posted by danmartinj

Hello,
Been looking at some linux commands like ldapsearch to query status on domain user accounts. I am pretty sure ldapsearch supports this but I am also pretty sure you have to supply it a domain controller to query. With windows you do not have to do this:

Code:

net user USER /domain

I am just trying to figure out the most simplest and stable command to use on Linux. Does anyone have any suggestions?

You say you don't have to specify a domain controller in Windows...yet you're specifying a domain in the command-line you're using. Which (by default) will resolve back in Windows to the domain controller you're attached to. Meaning in essence, you ARE providing one.

The ldapsearch man pages have the switches you need, and there are many examples you can find. With TLS:

Code:

ldapsearch -H ldaps://domain.controller.com -x -W -D "user@name.com" -b "dc=controller,dc=com" "(sAMAccountName=someuser)"

And without:

Code:

ldapsearch -H ldap://domain.controller.com -x -W -D "user@name.com" -b "dc=controller,dc=com" "(sAMAccountName=someuser)"

danmartinj · 03-01-2022, 12:26 PM

Hey TBOne,

I will be happy to mark this as solved as your suggestion did work for us. However, it looks like the -W flag is asking for a password to bind to. We are hoping to create a script and use cron to have it automatically run. Is there a way to get this to work without asking for a password or is there a work around? Using a password seems insecure and can be hard to work with using a script. Any suggestions would be greatly appreciated and I will mark his as solved by you. Thanks so much for your help.

Thanks,
Joe

danmartinj · 03-01-2022, 10:10 PM

Just as a fallow I did get that to work by using the anonymous query so we do not have to setup a password within the script. thanks. this is complete now.

Joe