Active Directory searches from Linux

Imagine you have a Linux PC inside an Active Directory domain, and that you want to be able to request information using LDAP, over TLS, using Kerberos authentication. In theory, everything is easy, in practice, not so much.

For the impatient, here is the magic command line, provided that you already requested a valid TGT using kinit username@REALM.SOMETHING.CORP:

ldapsearch  -N  -H 'ldaps://dc.fdqn:3269' -b "dc=ou,dc=something,dc=corp" -D "username@REALM.SOMETHING.CORP" -LLL -Y GSSAPI -O minssf=0,maxssf=0 '(mail=john.doe*)' mail 

So, let’s break down the different options:

• -N: Do not use reverse DNS to canonicalize SASL host name. If your DC has no valid reverse DNS, this is needed.
• -H 'ldaps://dc.fdqn:3269': use TLS (ldaps), on port 3269 (Global Catalog)
• -b "searchbase": the root of your search, you will have to change it.
• -D "binddn": your username@REALM, used for Kerberos (may be omitted)
• -LLL: remove useless LDIF stuff in output
• -Y GSSAPI: specify that we want to use GSSAPI as an SASL mechanism
• -O minssf=0,maxssf=0: black magic to avoid problems with SASL when using TLS

You may also have to play with the LDAPTLS_REQCERT environment variable or with $HOME/.ldaprc. For example, you can put:

TLS_CACERT /full/path/to/your/ca.pem

Note that the -Z does not work as it uses StartTLS and not native TLS.

Reminders:

• host -t srv _ldap._tcp.pdc._msdcs.ou.org.corp to find a DC hostname
• ldapsearch -xLLL -h ldaphostname -b "" -s base to look for the different LDAP roots
• You need to install the required packages: libsasl2-modules-gssapi-mit (or -heimdal)