The purpose of this article is to demonstrate how to use ldapsearch with Active Directory. Microsoft’s Active Directory is an Ldap implementation running on domain services in a Microsoft environment.
This article is geared towards directory administrators coming from a Linux environment using OpenLDAP now working in a Microsoft environment using Active Directory, or AD for short. While we do not claim that ldapsearch is the better tool to use, we do claim that sometimes it is easiest to use the tools you already have experience with. You have landed here for a reason and that is to learn how to use the ldapsearch tool, commonly used with OpenLDAP implementation, with Active Directory.
You may also work in a mixed environment of both Linux and Windows, but your directory services are Active Directory and not OpenLDAP. In that case, you can still follow along to learn how to use ldapsearch from a Linux host to Active Directory.
Install ldapsearch on Windows
If you are a Linux engineer working in a Windows environment we recommend going ahead and installing WSL2 on your Windows machine. These instructions will assume you are working in WSL2. The WSL2 version we are using is Ubuntu, so Ubuntu users can follow along with these instructions as well.
Open a terminal and the run the following command to install ldap-utils:
sudo apt install ldap-utils
Not that ldap-utils are intalled you can use the ldapsearch command to query Active Directory.
ldapsearch examples Active Directory
Query an account
ldapsearch -H ldap://example.com -x -W -D "testuser@example.com" -b "dc=example,dc=com" "(sAMAccountName=testuser)" "attr1" "attr2"
The above command will search for a given account provided by a filter and will display the requested attributes.
Options
Option | Description |
-H | The Active Directory host |
-x | Use simple authentication with a username and password instead of SASL |
-W | Prompt for password |
-D | The DN of the user you are authenticating with |
-b | The base DN of where you want to start your search |
After all of the options are provided you must give a filter to narrow down your results. In this case, "(sAMAccountName=testuser)"
is the filter. The filter is followed by the specific attributes you wish to display.
Compare this to the Powershell command to get an AD (Active Directory) user.
Get-ADUser -identity testuser -Properties * | select attr1, attr2
It really comes down to which tool you are more comfortable with, ldapsearch or Powershell.
Conclusion
This article has demonstrated how to use ldapsearch with Active Directory. Let us know in the comments if you have any questions or would like to see more examples and go in more depth on the ldapsearch tool. Read more of our articles.
Leave a Reply