# Activte Directory - Comandos básicos ###### tags: `ad` `ldap` Vamos considerar a seguinte configuração de acesso para um servidor AD. ```tiddlywiki= Conexão: adserver:389 Base DN cn=bigdata,dc=big,dc=data admin cn=bigdataadm,cn=Admins,cn=bigdata,dc=big,dc=data senha 123 ``` Abaixo temos alguns comandos úteis para testar a conexão utilizando o ldapsearch. ## ldapsearch Primeiro, vamos instalar o ldapsearch. ```bash= # CentOS yum install -y openldap-clients ``` Abaixo o comando para testar a conexão com o AD. ```bash= # O comando abaixo irá pedir a senha no prompt ldapsearch -x -b "cn=bigdata,dc=big,dc=data" -H ldap://adserver:389 -D "cn=bigdataadm,cn=Admins,cn=bigdata,dc=big,dc=data" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=bigdata,dc=big,dc=data> with scope subtree # filter: (objectclass=*) # requesting: ALL # # bigdata, big.data dn: CN=bigdata,DC=big,DC=data objectClass: top objectClass: container cn: bigdata distinguishedName: CN=bigdata,DC=big,DC=data instanceType: 5 whenCreated: 20200804201723.0Z whenChanged: 20200804211724.0Z uSNCreated: 8198 dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAATZ7S8yYILUOBWZrh58NYBQ== uSNChanged: 12485 showInAdvancedViewOnly: TRUE name: bigdata objectGUID:: HpnYmqdWlEGPlIA5A1vHxA== wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Roles,CN=bigdata,DC =big,DC=data wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,CN=bigd ata,DC=big,DC=data wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,CN=big data,DC=big,DC=data wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,CN= bigdata,DC=big,DC=data objectCategory: CN=Container,CN=Schema,CN=Configuration,CN={99CE2C34-9FC5-4DBA -A6DB-A6A1BF0C688D} dSCorePropagationData: 16010101000000.0Z msDs-masteredBy: CN=NTDS Settings,CN=AGENDHML$LDS-BIG-DATA,CN=Servers,CN=Defau lt-First-Site-Name,CN=Sites,CN=Configuration,CN={99CE2C34-9FC5-4DBA-A6DB-A6A1 BF0C688D} # Admins, bigdata, big.data dn: CN=Admins,CN=bigdata,DC=big,DC=data objectClass: top objectClass: container cn: Admins distinguishedName: CN=Admins,CN=bigdata,DC=big,DC=data instanceType: 4 whenCreated: 20200804202049.0Z whenChanged: 20200804202049.0Z uSNCreated: 12467 uSNChanged: 12467 showInAdvancedViewOnly: TRUE name: Admins objectGUID:: koeZb2d6iE2Y3UsS0wyKcw== objectCategory: CN=Container,CN=Schema,CN=Configuration,CN={99CE2C34-9FC5-4DBA -A6DB-A6A1BF0C688D} dSCorePropagationData: 16010101000000.0Z ``` A saída do comando acima foi reduzida e pode ser diferente para cada ambiente. Caso recebe um erro parecido com esse abaixo, adicione a variável `LDAPTLS_REQCERT=never` antes do comando para ignorar o certificado. ```bash= $ ldapsearch -V -x -b "OU=bigdata-lab,OU=usuarios,OU=GERAIS,DC=adalgiso,DC=nivaldo" -H ldaps://10.30.8.64:636 -D "CN=bigdata lab,OU=usuarios,OU=GERAIS,DC=adalgiso,DC=nivaldo" -W ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.44 (Jan 29 2019 17:42:42) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/clients/tools (LDAP library: OpenLDAP 20444) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) $ LDAPTLS_REQCERT=never ldapsearch -V -x -b "OU=bigdata-lab,OU=usuarios,OU=GERAIS,DC=adalgiso,DC=nivaldo" -H ldaps://10.30.8.64:636 -D "CN=bigdata lab,OU=usuarios,OU=GERAIS,DC=adalgiso,DC=nivaldo" -w 'BaUPwWR44s' ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.44 (Jan 29 2019 17:42:42) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/clients/tools (LDAP library: OpenLDAP 20444) # extended LDIF # # LDAPv3 # base <OU=bigdata-lab,OU=usuarios,OU=GERAIS,DC=adalgiso,DC=nivaldo> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 ``` ## adtool Esse [blog](https://anothersysadmin.wordpress.com/2008/08/19/howto-managing-active-directory-users-under-linux-with-adtool) tem uma explicação muito boa de como utilizar o adtool. Esse [outro](https://github.com/evilmog/evilmog/wiki/Linux-LDAP-Tricks---ADTOOL) também tem bons exemplos. É necessário compilar o código fonte. ```bash= # CentOS - Dependências # Instale o development tools yum groupinstall -y "Development Tools" # Instale o openldap-devel yum install -y openldap-devel # Ubuntu - Dependências apt install --yes build-essential libldap2-dev # Instalação # Faça o download do código fonte wget http://gp2x.org/adtool/adtool-1.3.3.tar.gz # Descompacte tar xfvz adtool-1.3.3.tar.gz # Instale cd adtool-1.3.3 ./configure make make install ``` 1 - [LDAP Password Changes in Active Directory](https://nawilson.com/2010/08/26/ldap-password-changes-in-active-directory/)