LDAP search not finding entries in child OUs - active-directory

Say you have an LDAP with the following structure:
dc=corp,dc=com
|--dc=security
|--ou=users
|--ou=corporate
| |--ou=it
| |--it-user1
| |--it-user2
|--user1
|--user2
|--user3
I need a search query that will look at all entries under the users ou, including those under corporate and it.
Currently I am trying the following:
uid=it-user2,ou=users,dc=security,dc=corp,dc=com
The scope of the search is set as subtree. I was under the impression that the subtree scope would cause the LDAP to search recursively through the entire tree, but that does not seem to be the case. However, if I add the full path into the search as I have below, the entry is found.
uid=it-user2,ou=it,ou=corporate,ou=users,dc=security,dc=corp,dc=com
Could someone give me an idea of where I am going wrong? Thanks.

You need to set your search context (i.e., the search base) to where your object/entry is stored. Based on your example, the search context is ou=users,dc=security,dc=corp,dc=com. When you set the search scope to subtree, it should find the entry or entries that match your critera (i.e., search filter). For example,
ldapsearch -h SERVER -b ou=users,dc=security,dc=corp,dc=com -s sub "(uid=it-user2)"
Of course, with the 'subtree' search scope, you could even set the search context to a higher level container (e.g., dc=security,dc=corp,dc=com). Your entry would still be found as long as it matches the criteria specified by your filter. Since you're searching for all entries under the ou=users container, your query would probably look like this:
ldapsearch -h SERVER -b ou=users,dc=security,dc=corp,dc=com -s sub "(uid=*)"
or
ldapsearch -h SERVER -b ou=users,dc=security,dc=corp,dc=com -s sub "(objectclass=*)"

I fought this for hours - CN=Users LDAP Directory Entry in .Net - not working with OU=Users
This may seem silly and stupid, but the default tree setup in Active Directory is not OU=Users,dc=domain,dc=com but rather CN=Users,dc=domain,dc=com (Note the CN= not the OU= for Users.)

uid=it-user2,ou=users,dc=security,dc=corp,dc=com does not exist. The LDAP client must provide a base object to the search request which exists.
see also
LDAP: Search Best Practices

Related

using DistinguishedName in ldap query

I have a requirement where I need to run query like below and fetch 2-3 attributes for all entities satisfying this query. The number of distinguishedName would be around 100 in a single query. As I see in the microsoft documentation, that distinguishedName is not indexed, I suspect that this might cause performance issues.
Does anybody know if this would indeed cause performance issues? Apart from the below ldap filter, I would obviously have to use SUBTREE scope.
(|(distinguishedName=<DN 1 goes here>)(distinguishedName=<DN 2 goes here>))
Edit 1:
I tried this in my test Active Directory which has ~6k entries.
Internal event: A client issued a search operation with the following options.
Starting node:
DC=example,DC=com
Filter:
( |
(distinguishedName=CN=user-1,CN=large-test,CN=Users,DC=example,DC=com)
(distinguishedName=CN=user-2,CN=large-test,CN=Users,DC=example,DC=com)
(distinguishedName=CN=user-3,CN=large-test,CN=Users,DC=example,DC=com)
(distinguishedName=CN=group1,CN=large-test,CN=Groups,DC=example,DC=com)
)
Search scope:
subtree
Attribute selection:
mail,objectClass
Server controls:
Visited entries:
4
Returned entries:
4
Used indexes:
idx_distinguishedName:4:N;idx_distinguishedName:1:N;idx_distinguishedName:1:N;idx_distinguishedName:1:N;
Pages referenced:
123
Pages read from disk:
0
From the results it looks like it only visited 4 entries that I searched for using some indexes. I checked with schema snap-in tool (just to be sure) and it doesn't show indexes on distinguishedName. Not sure how it's using these indexes though.
Microsoft Active Directory stores the group memberships at the entry level, so you could use this to fetch the email attribute.
E.g.
ldapsearch .... -b SEARCH_BASE "(|(memberOf=GROUP_DN_1)(memberOf=GROUP_DN_2)...)" mail

Error showing Values of fields msds-memberOfTransitive and msds-memberTransitive

We are trying to return all user information from a LDAP query made to a Microsoft Active Directory 2012 server.
First, we get all attributes from the schema (including msds-memberOfTransitive and msds-memberTransitive), then we make a query requesting all attributes.
We have narrowed down this problem to executing a LDAP search with the following parameters:
- Scope: Next level (if there are elements inside the container) or Subtree
- msds-memberOfTransitive or msds-memberTransitive attributes are requested
Sample query reproducing the error:
ldapsearch -D "CN=Administrator,CN=Users,DC=my,DC=dom" -W -b "CN=Users,DC=my,DC=dom" -h 10.0.1.100 -p 389 msds-memberTransitive
Sample query avoiding the error:
ldapsearch -D "CN=Administrator,CN=Users,DC=my,DC=dom" -W -b "CN=Administrator,CN=Users,DC=my,DC=dom" -h 10.0.1.100 -p 389 msds-memberTransitive -s one
I assume this is some mechanism to avoid excessive calculations of "transitive" attributes, but I have not found anything .
How could I make this search (appart from removing these attributes from the search)?
Looks like the msds-memberOfTransitive and msds-memberTransitive have Search Flags of searchFlags: 2048 set that limit the search to a base Scope.
If we look at msds-memberOfTransitive, we see the setting searchFlags: fBASEONLY. Lookin at Search Flags, we see:
(fBASEONLY, 0x00000800): Specifies that the attribute is not to be returned by search operations that are not scoped to a single object. Read operations that would otherwise return an attribute that has this search flag set instead fail with operationsError / ERROR_DS_NON_BASE_SEARCH.
(Same is true for msds-memberTransitive)
So these attributes will only be return when the scope of the search is BASE.
The only method around this condition would be to loop through each result with one of the attributes and do a second search which would be a baseDN of the entry and a scope of BASE.

LDAP search using distinguishedName

I know the answer is probably no, however, I figured before I give up I may as well ask.
Is it possible to find all objects in OU using distinguishedName, let say I need to find all objects in OU which is called Groups, i try to use something like this, but it dosn't work
(DN=*OU=Groups,OU=Corp-Users,DC=fabrikam,DC=internal)
Try ldapsearch -s one -h ldaphost -b "OU=Groups,OU=Corp-Users,DC=fabrikam,DC=internal" "objectclass=*" dn to get all nodes of the level OU=Groups,OU=Corp-Users,DC=fabrikam,DC=internal. Replace the -s one with -s sub to get all subentries as well.
What does it do?
It uses OU=Groups,OU=Corp-Users,DC=fabrikam,DC=internal as the search base (-b) and searches just on that level (-s one) or on all sublevels (-s sub) all nodes that have an attribute objectclass set (which should be every node!)
The rest is just syntactical stuff that might be needed like setting the LDAP-Host (-h ldaphost) or just returning the dn (the dn right at the end)
I'm not sure what the command for windows is though.

Query Active Directory users who are managed by given manager's sAMAccountName

I'm trying to search active directory users whose manager's username is given in the search request, but I always get 0 records regardless of the manager's username I pass.
To achieve this, I executed the following LDAP query:
(manager=sAMAccountName=Administrator)
I also tried by manager's common name like this:
(manager=cn=John Smith)
Can anyone write me an LDAP query that returns all users whose manager's sAMAccountName=administrator ?
manager has distinguished name syntax, therefore, if manager is used in an assertion, the full DN must be used as the value. Neither of the examples you gave meet this criteria. You must correct the filter to use a distinguished name.
The syntax of manager:
attributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager'
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
X-ORIGIN 'RFC 4524' )
To determine the syntax, use the LDAP Parameters Assignment page. On that page, search for the OID following the SYNTAX keyword (1.3.6.1.4.1.1466.115.121.1.12). That shows that it's DN syntax. Also, the EQUALITY matching rule is distinguishedNameMatch.
An example of an assertion in a filter using the correct syntax:
manager=cn=Manager Number One,ou=managers,ou=people,dc=example,dc=com
All attributes values used in an assertion must have the syntax defined for that attribute type in the schema.
Update
Verify the entries exist with a known good tool such as ldapsearch to ensure that the correct parameters are known for the search request. For example:
$ ldapsearch -h hostname -p port -b 'dc=sahara,dc=local' \
-D [your-bind-dn] -w [your-bind-dn-password] \
-s sub \
'(manager=cn=Izzeddeen Alkarajeh,ou=managers,ou=people,dc=sahara,dc=local)' \
1.1
If this search returns no entries, check with the LDAP administrators to ensure that the BIND DN in use has permission o read those entries.
see also
LDAP: Mastering Search Filters
LDAP: Search best practices
LDAP: Programming practices
I know this is old but I figured out a way to do this in C# that I have yet to find on stackoverflow.
using (var pc = new PrincipalContext(ContextType.Domain, "yourdomain.com"))
using (var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, "samAccountName"))
{
DirectoryEntry de = (DirectoryEntry)user.GetUnderlyingObject();
if (de.Properties["directReports"].Count != 0)
managedFound = de.Properties["directReports"];
}
This will give you a list of strings that you can then parse out the CN using this:
managedUserName = Regex.Match(managedFound.ToString(), #"CN[=].*?[,]").Value.Replace("CN=", "").Replace(",", "");
Then, the following to get the User properties:
UserPrincipal managedUser = UserPrincipal.FindByIdentity(pc, IdentityType.Name, managedUserName);

How do I filter an LDAP query for groups containing a specific user?

How do I filter an Active Directory LDAP query to groups containing the authenticated/bound user (or any user at all)? This works fine:
(&(objectClass=group)(member=*))
>>> lots of results
But I can't go any more detail:
(&(objectClass=group)(member=*S*))
>>> nothing
The MSDN mentions using a filter like this:
(member:1.2.840.113556.1.4.1941:=(cn=user1,cn=users,DC=x))
But even ignoring the crazy hyper magic number involved in that, I always get 0 results when I try to filter with that (even replacing cn=user1,cn=users,DC=x with my own distinguishedName, even replacing it with *).
You need the full DN of the user i.e
(&(member=CN=Your Name,OU=Your OU,DC=company,DC=com)(objectClass=group))
take note you cannot use * in this one
So the crazy hyper magic number involved in recursive search is explained in Search Filter Syntax.
To find in one search (recursively) all the groups that "user1" is a member of:
Set the base to the groups container DN; for example root DN (dc=dom,dc=fr)
Set the scope to subtree
Use the following filter: (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
explicited using LDIFDE.EXE the command line tool included in Windows Server it gives:
ldifde -f user1Grps.ldf -d "dc=societe,dc=local" -r "(member:1.2.840.113556.1.4.1941:=cn=user1,ou=Monou,dc=societe,dc=local)"
If you are running that on a W2K8 or W2K8 R2 server be careful to run as administrator.
If you are programming in C# you can use:
/* Retreiving a principal context
*/
Console.WriteLine("Retreiving a principal context");
PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, "WM2008R2ENT:389", "dc=dom,dc=fr", "jpb", "PWD");
/* Look for all the groups a user belongs to
*/
UserPrincipal aUser = UserPrincipal.FindByIdentity(domainContext, "user1");
PrincipalSearchResult<Principal> a = aUser.GetAuthorizationGroups();
foreach (GroupPrincipal gTmp in a)
{
Console.WriteLine(gTmp.Name);
}

Resources