Skip to content

LDAP

Test LDAP connection

ldapsearch -x -b "cn=Users,dc=office,dc=company,dc=com" -H ldaps://dc.address.com:636 -D 'username@domain.com' -W -d 1

Check LDAP server search (Active Directory lookup)

ldapsearch -H ldap://10.10.0.7:389 -x -b "dc=kvk,dc=company,dc=com" -D "user@kvk.company.com" -W -s sub "(cn=SnipeIT*)" cn mail sn -v

LDAP query for enabled user accounts

(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=computer)))

PHP app LDAPS trust certificate

  • Put AD DC Base-64 certificate to C:\openldap\sysconf
  • Create ldap.conf in that folder with content
    TLS_REQCERT never
    TLS_CACERT c:\openldap\sysconf\webcert.crt
    
  • Create System variable LDAPTLS_CACERT that points to that certificate

Get server SSL certificate from handshake (for LDAPS f.x.)

openssl s_client -connect dc.kvk.company.com:636

Part of the output of this file will be the Base-64 encoded .cer file that was presented for LDAPS. Just cut and paste into notepad beginning at "--Begin Certificate--" through "---End Certificate---" and save as a .cer

Double-click on the certificate file and you will now be viewing the certificate presented for LDAPS.

LDAP query search for user

ldapsearch -x -LLL -h domaincontroller.company.com -D username -w password -b"dc=company,dc=com" -s sub "(objectClass=user)" givenName

Check the certificate used for an LDAPS connection

echo | openssl s_client -connect dc.company.com:636 2>/dev/null | openssl x509 -noout -text

LDAP find user in Active Directory

Provide password for bindaduser that is used to connect to the domain:

ldapsearch -H ldaps://dc.office.company.com:3269 -D "bindaduser" -W -b "dc=office,dc=company,dc=com" "(sAMAccountName=first.last)"