Search-Filter for LDAP (MS Active Directory)

Thu Oct 14 11:03:27 EDT 2004

Hello,

Dirk Hagemann wrote:

> I'd like to know how to set up a query for all computer-accounts in
> a special part of Active Directory by using LDAP.
>
> Example:
> all computers with a name like "ABC*" at "..., ou=Production,
> DC=business,DC=company,DC=com"
>>From these computers I want to get their OS, Service Pack and some
> other information.

I use python-ldap (http://python-ldap.sf.net/) to access Active
Directory.  Example:

# ----------------- code start -----------------
import ldap, ldapurl

proto = 'ldap'
server = 'youradserver.yourdomain.com'
port = 389

url = ldapurl.LDAPUrl(urlscheme=proto,
                      hostport="%s:%s" % (server,
                      str(port))).initializeUrl()
ldap_obj = ldap.initialize(url)

# !!!password will be on wire in plaintext!!!
ldap_obj = ldap_obj.simple_bind_s('<domainuser>',
                                  '<password>')

# search only within given subtree
base = 'ou=Production, DC=business, dc=yourdomain, dc=com'

# search scope see rfcs for explanation; in your case it's probably:
scope = ldap.SCOPE_SUBTREE

# this is the beef, i.e. the rfc2254 filter the following matches all
# entries in the directory, which might be many.  OTOH, you often have
# server site limits on how much search hits may be returned for a
# single query; I dunno how this is changed within the query (probably
# some filter extension magic I haven't used yet)
query = '(objectclass=*)'

# now your job is to find out the right query string; I don't know if
# for example computer accounts have a special objectclass, so I'll
# just assume it is called 'cAccount'.  Further I don't know which
# attribute type denotes the name of the computer account you
# mentioned; I'll just assume its type is called 'displayname'.  Under
# these assumptions your example above would translate to the
# following query (which won't work because my assumptions are
# certainly wrong):
# query = '(&(objectclass=cAccount)(displayname=abc*))'

# limit the attribute types which you want to see in the result
# the following will give you the values of all attribute types of
# all matching directory entries
res_attrs = ['*']

res = ldap_obj.search_ext_s(base, scope, query, res_attrs)
print res
# ----------------- code end -----------------

I haven't tested this special code but I'm using similar code on a
daily basis.

If you are like many people and don't like plaintext passwords on the
wire you have at least two alternatives:  TLS and SASL.  TLS in Active
Directory means you'll want to use 'ldaps' as the urlscheme (start_tls
doesn't work yet, AFAIK).

I had no luck with sasl (only GSSAPI available in my case).  Although
I can get a TGT with MIT's kinit from my Active Directory server (this
is debian, I dunno how to get the TGT on a Micros~1 platform, but the
MIT's Windows port of their client tools seems to have some support),
there seems to be a bug related to packet sizes (either in AD or in
openldap's libldap).  Maybe
http://www.openldap.org/lists/openldap-devel/200211/msg00035.html
could get you going.

HTH,

andreas