Query Active Directory From Your PC

by Seth Miller

I’m working on an Enterprise Manager 12c implementation with a client which includes integration with Active Directory for user authentication and authorization. The question came up, “How do I know which users are in which groups in EM?”. Since the AD groups in which the users belong correlate directly with the roles in EM, I put together this document to query Active Directory to find that information.

The Active Directory information can be queried from the command line if the appropriate LDAP tools are present. Most Windows installations will have ldapsearch tool. LDAP search tools are present in other operating systems as well and most of the parameters are the same, although I have found small differences with certain parameters and syntax, especially between the Windows and Linux LDAP tools.

This document demonstrates the use of the ldapsearch command line tool for the Windows command line in various capacities. An advantage of using your own PC is that you are probably already authenticated with AD, so no additional authentication with ldapsearch is necessary. Most of the document shows how to set variables to be used in the ldapsearch command. Once the variables are set, execute the one of the ldapsearch commands towards the end of the document.

 

Set the ldap_host variable to the hostname or IP of one of the Active Directory hosts.

set ldap_host="<hostname or IP of AD>"

 

Set the basedn variable to the Base Directory Name, which establishes a starting point or LDAP branch for searching.

set basedn="OU=<organizational unit>, DC=<low level domain component>, DC=<mid level domain component>, DC=<high level domain component>"

 

There are two parameters used to search; searchfilter and keyfilter.

The searchfilter parameter limits which records are returned and is mandatory. The most basic form of the search filter is a key and value combination.

set searchfilter="CN=<canonical name>"

 

The keyfilter parameter is the record key filter and is optional. This is a text filter and can be in many formats. The most basic form is just to specify a key.

set keyfilter="memberOf"

 

Examples

Following are four examples of how to set parameters for the ldapsearch command that will show four different sets of data.

Example 1

Show all of the visible Active Directory data for a particular user.

set basedn="OU=people,DC=example,DC=com"
set searchfilter="CN=Miller, Seth"
set keyfilter="*"

 

Example 2

List the groups in which a particular user belongs. Notice the LDAP query is the same as the previous example but the information being shown is limited to the memberOf key.

set basedn="OU=people,DC=example,DC=com"
set searchfilter="CN=Miller, Seth"
set keyfilter="memberOf"

 

Example 3

Show all of the visible Active Directory data for a particular group.

set basedn="OU=groups,DC=example,DC=com"
set searchfilter="CN=EM_User"
set keyfilter="*"

 

Example 4

List the members of a particular group. Notice the LDAP query is the same as the previous example but the information being shown is limited to the member key.

set basedn="OU=groups,DC=example,DC=com"
set searchfilter="CN=EM_User"
set keyfilter="member"

 

If you are already authenticated with AD, you can use native authentication for the ldapsearch command with the -Z flag.

ldapsearch -h %ldap_host% -Z -b %basedn% %searchfilter% %keyfilter%

 

If native authentication does not work, a username and password can be included.

Create an environment variable with your AD password.

set /p userpassword="Enter Password: "
cls

 

Create an environment variable with your AD username.

set username="CN=Miller, Seth,OU=people,DC=example,DC=com"

 

This command is the same as the previous ldapsearch command, except it now includes explicit authentication using the username and userpassword variables.

ldapsearch -h %ldap_host% -w %userpassword% -D %username% -b %basedn% %searchfilter% %keyfilter%