Re: Search-Filter for LDAP (MS Active Directory)

From: Ames Andreas (MPA/DF) (Andreas.Ames_at_tenovis.com)
Date: 10/14/04 

Date: Thu, 14 Oct 2004 17:03:27 +0200
To: <python-list@python.org>

Hello,

Dirk Hagemann wrote:

> I'd like to know how to set up a query for all computer-accounts in
> a special part of Active Directory by using LDAP.
>
> Example:
> all computers with a name like "ABC*" at "..., ou=Production,
> DC=business,DC=company,DC=com"
>>>From these computers I want to get their OS, Service Pack and some
> other information.

I use python-ldap (http://python-ldap.sf.net/) to access Active
Directory. Example:

# ----------------- code start -----------------
import ldap, ldapurl

proto = 'ldap'
server = 'youradserver.yourdomain.com'
port = 389

url = ldapurl.LDAPUrl(urlscheme=proto,
                      hostport="%s:%s" % (server,
                      str(port))).initializeUrl()
ldap_obj = ldap.initialize(url)

# !!!password will be on wire in plaintext!!!
ldap_obj = ldap_obj.simple_bind_s('<domainuser>',
                                  '<password>')

# search only within given subtree
base = 'ou=Production, DC=business, dc=yourdomain, dc=com'

# search scope see rfcs for explanation; in your case it's probably:
scope = ldap.SCOPE_SUBTREE

# this is the beef, i.e. the rfc2254 filter the following matches all
# entries in the directory, which might be many. OTOH, you often have
# server site limits on how much search hits may be returned for a
# single query; I dunno how this is changed within the query (probably
# some filter extension magic I haven't used yet)
query = '(objectclass=*)'

# now your job is to find out the right query string; I don't know if
# for example computer accounts have a special objectclass, so I'll
# just assume it is called 'cAccount'. Further I don't know which
# attribute type denotes the name of the computer account you
# mentioned; I'll just assume its type is called 'displayname'. Under
# these assumptions your example above would translate to the
# following query (which won't work because my assumptions are
# certainly wrong):
# query = '(&(objectclass=cAccount)(displayname=abc*))'

# limit the attribute types which you want to see in the result
# the following will give you the values of all attribute types of
# all matching directory entries
res_attrs = ['*']

res = ldap_obj.search_ext_s(base, scope, query, res_attrs)
print res
# ----------------- code end -----------------

I haven't tested this special code but I'm using similar code on a
daily basis.

If you are like many people and don't like plaintext passwords on the
wire you have at least two alternatives: TLS and SASL. TLS in Active
Directory means you'll want to use 'ldaps' as the urlscheme (start_tls
doesn't work yet, AFAIK).

I had no luck with sasl (only GSSAPI available in my case). Although
I can get a TGT with MIT's kinit from my Active Directory server (this
is debian, I dunno how to get the TGT on a Micros~1 platform, but the
MIT's Windows port of their client tools seems to have some support),
there seems to be a bug related to packet sizes (either in AD or in
openldap's libldap). Maybe
http://www.openldap.org/lists/openldap-devel/200211/msg00035.html
could get you going.

HTH,

andreas

Relevant Pages

  • Re: Slow connection while using ADU&C MMC -> Clarification.
    ... If I run ADU&E on the Exchange server the change is much quicker. ... LDAP, but not RPC. ... For 1) i can't see any ldap path to the object "yann", ... Is the query going to the correct local GC? ...
    (microsoft.public.windows.server.active_directory)
  • Re: New DC behind a firewall
    ... Active Directory Replication over Firewalls ... Connecting to directory service on server mydc. ... DcDiag: a dcdiag exception raised, ... "LDAP query to speficied LDAP server on TCP port 389 failed ...
    (microsoft.public.windows.server.active_directory)
  • RE: LDAP + Active Directory
    ... Subject: LDAP + Active Directory ... LDAP server on it's rootdse. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Query LDAP to allow computer to be placed in correct OU when joining the domain
    ... We currently have a server build process that has an HTA front end ... What I'd like to do is add another section that will query AD based ... I'm not sure of the best way to query LDAP based upon the domain ... Snippet of where we ask for the domain: ...
    (microsoft.public.scripting.vbscript)
  • Re: One Domain, Two Email Systems
    ... some Linux experience) or another SMTP server as our main SMTP/MX to query the two systems' SMTP and route email to the appropriate SMTP? ... It is my understanding that "LDAP Routing" will cause Sendmail to query an LDAP to 1) see if a recipient email address is valid and 2) see what back end MX server the account is to be delivered to. ...
    (comp.mail.sendmail)