Search-Filter for LDAP (MS Active Directory)

Dirk Hagemann usenet at mail-2-me.com
Thu Oct 14 16:21:39 EDT 2004


Ames Andreas (MPA/DF) schrieb:
> Hello,
> 
> Dirk Hagemann wrote:
> 
> 
>>I'd like to know how to set up a query for all computer-accounts in
>>a special part of Active Directory by using LDAP.
>>
>>Example:
>>all computers with a name like "ABC*" at "..., ou=Production,
>>DC=business,DC=company,DC=com"
>>>From these computers I want to get their OS, Service Pack and some
>>other information.
> 
> 
> I use python-ldap (http://python-ldap.sf.net/) to access Active
> Directory.  Example:
> 
> # ----------------- code start -----------------
> import ldap, ldapurl
> 
> proto = 'ldap'
> server = 'youradserver.yourdomain.com'
> port = 389
> 
> url = ldapurl.LDAPUrl(urlscheme=proto,
>                       hostport="%s:%s" % (server,
>                       str(port))).initializeUrl()
> ldap_obj = ldap.initialize(url)
> 
> # !!!password will be on wire in plaintext!!!
> ldap_obj = ldap_obj.simple_bind_s('<domainuser>',
>                                   '<password>')
> 
> # search only within given subtree
> base = 'ou=Production, DC=business, dc=yourdomain, dc=com'
> 
> # search scope see rfcs for explanation; in your case it's probably:
> scope = ldap.SCOPE_SUBTREE
> 
> # this is the beef, i.e. the rfc2254 filter the following matches all
> # entries in the directory, which might be many.  OTOH, you often have
> # server site limits on how much search hits may be returned for a
> # single query; I dunno how this is changed within the query (probably
> # some filter extension magic I haven't used yet)
> query = '(objectclass=*)'
> 
> # now your job is to find out the right query string; I don't know if
> # for example computer accounts have a special objectclass, so I'll
> # just assume it is called 'cAccount'.  Further I don't know which
> # attribute type denotes the name of the computer account you
> # mentioned; I'll just assume its type is called 'displayname'.  Under
> # these assumptions your example above would translate to the
> # following query (which won't work because my assumptions are
> # certainly wrong):
> # query = '(&(objectclass=cAccount)(displayname=abc*))'
> 
> # limit the attribute types which you want to see in the result
> # the following will give you the values of all attribute types of
> # all matching directory entries
> res_attrs = ['*']
> 
> res = ldap_obj.search_ext_s(base, scope, query, res_attrs)
> print res
> # ----------------- code end -----------------
> 
> 
> I haven't tested this special code but I'm using similar code on a
> daily basis.
> 
> If you are like many people and don't like plaintext passwords on the
> wire you have at least two alternatives:  TLS and SASL.  TLS in Active
> Directory means you'll want to use 'ldaps' as the urlscheme (start_tls
> doesn't work yet, AFAIK).
> 
> I had no luck with sasl (only GSSAPI available in my case).  Although
> I can get a TGT with MIT's kinit from my Active Directory server (this
> is debian, I dunno how to get the TGT on a Micros~1 platform, but the
> MIT's Windows port of their client tools seems to have some support),
> there seems to be a bug related to packet sizes (either in AD or in
> openldap's libldap).  Maybe
> http://www.openldap.org/lists/openldap-devel/200211/msg00035.html
> could get you going.
> 
> 
> HTH,
> 
> andreas
> 
Hi!

I think I will not have to care about authentification in this code, 
because the script will run under user-context with domain-admin-rights.
Thanks for the code - I'll try to test it tomorrow.

:-)
Dirk



More information about the Python-list mailing list