No theme, no regular posting.

© 2014-2018. Raphaël Rigo CC-BY-SA 4.0


Active Directory searches from Linux

Imagine you have a Linux PC inside an Active Directory domain, and that you want to be able to request information using LDAP, over TLS, using Kerberos authentication. In theory, everything is easy, in practice, not so much.

For the impatient, here is the magic command line, provided that you already requested a valid TGT using kinit username@REALM.SOMETHING.CORP:

ldapsearch  -N  -H 'ldaps://dc.fdqn:3269' -b "dc=ou,dc=something,dc=corp" -D "username@REALM.SOMETHING.CORP" -LLL -Y GSSAPI -O minssf=0,maxssf=0 '(mail=john.doe*)' mail 

So, let’s break down the different options:

You may also have to play with the LDAPTLS_REQCERT environment variable or with $HOME/.ldaprc. For example, you can put:

TLS_CACERT /full/path/to/your/ca.pem

Note that the -Z does not work as it uses StartTLS and not native TLS.