Search-Filter for LDAP (MS Active Directory)
usenet at mail-2-me.com
Thu Oct 14 22:21:39 CEST 2004
Ames Andreas (MPA/DF) schrieb:
> Dirk Hagemann wrote:
>>I'd like to know how to set up a query for all computer-accounts in
>>a special part of Active Directory by using LDAP.
>>all computers with a name like "ABC*" at "..., ou=Production,
>>>From these computers I want to get their OS, Service Pack and some
> I use python-ldap (http://python-ldap.sf.net/) to access Active
> Directory. Example:
> # ----------------- code start -----------------
> import ldap, ldapurl
> proto = 'ldap'
> server = 'youradserver.yourdomain.com'
> port = 389
> url = ldapurl.LDAPUrl(urlscheme=proto,
> hostport="%s:%s" % (server,
> ldap_obj = ldap.initialize(url)
> # !!!password will be on wire in plaintext!!!
> ldap_obj = ldap_obj.simple_bind_s('<domainuser>',
> # search only within given subtree
> base = 'ou=Production, DC=business, dc=yourdomain, dc=com'
> # search scope see rfcs for explanation; in your case it's probably:
> scope = ldap.SCOPE_SUBTREE
> # this is the beef, i.e. the rfc2254 filter the following matches all
> # entries in the directory, which might be many. OTOH, you often have
> # server site limits on how much search hits may be returned for a
> # single query; I dunno how this is changed within the query (probably
> # some filter extension magic I haven't used yet)
> query = '(objectclass=*)'
> # now your job is to find out the right query string; I don't know if
> # for example computer accounts have a special objectclass, so I'll
> # just assume it is called 'cAccount'. Further I don't know which
> # attribute type denotes the name of the computer account you
> # mentioned; I'll just assume its type is called 'displayname'. Under
> # these assumptions your example above would translate to the
> # following query (which won't work because my assumptions are
> # certainly wrong):
> # query = '(&(objectclass=cAccount)(displayname=abc*))'
> # limit the attribute types which you want to see in the result
> # the following will give you the values of all attribute types of
> # all matching directory entries
> res_attrs = ['*']
> res = ldap_obj.search_ext_s(base, scope, query, res_attrs)
> print res
> # ----------------- code end -----------------
> I haven't tested this special code but I'm using similar code on a
> daily basis.
> If you are like many people and don't like plaintext passwords on the
> wire you have at least two alternatives: TLS and SASL. TLS in Active
> Directory means you'll want to use 'ldaps' as the urlscheme (start_tls
> doesn't work yet, AFAIK).
> I had no luck with sasl (only GSSAPI available in my case). Although
> I can get a TGT with MIT's kinit from my Active Directory server (this
> is debian, I dunno how to get the TGT on a Micros~1 platform, but the
> MIT's Windows port of their client tools seems to have some support),
> there seems to be a bug related to packet sizes (either in AD or in
> openldap's libldap). Maybe
> could get you going.
I think I will not have to care about authentification in this code,
because the script will run under user-context with domain-admin-rights.
Thanks for the code - I'll try to test it tomorrow.
More information about the Python-list