Linuxで動作するWebアプリケーションがWindows ServerのActive Directoryを検索してユーザ認証を行うためのシェルスクリプトを作成することになりました
Webアプリケーションのマニュアルにサンプルが記載してありましたので、それを参考にldapsearchの勉強です
ユーザの存在を確認
1 2 3 |
# ldapsearch -LLL -x -h server.rootlinks.local -D "cn=administrator,cn=Users,dc=rootlinks,dc=local" -w AdminPassword -b "ou=staff,dc=rootlinks,dc=local" "(sAMAccountName=matsuoka)" userPrincipalName dn: CN=matsuoka,OU=staff,DC=rootlinks,DC=local userPrincipalName: matsuoka@rootlinks.local |
ユーザアカウントとパスワードで確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# ldapsearch -h server.rootlinks.local -x -b "ou=staff,dc=rootlinks,dc=local" -D "matsuoka@rootlinks.local" -w Password "(sAMAccountName=matsuoka)" # extended LDIF # # LDAPv3 # base <ou=staff,dc=rootlinks,dc=local> with scope subtree # filter: (sAMAccountName=matsuoka) # requesting: ALL # # matsuoka, staff, rootlinks.local dn: CN=matsuoka,OU=staff,DC=rootlinks,DC=local objectClass: top objectClass: person (snip) |
ところが正常終了する場合とエラーになる場合がありました
1 2 3 |
# ldapsearch -h server.rootlinks.local -x -b "ou=staff,dc=rootlinks,dc=local" -D "test@rootlinks.local" -w Password "(sAMAccountName=test)" ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 773, v23f0 |
同じOUに存在するユーザなのに…悩んだ挙句そのものズバリの情報を見つけました。感謝!
ActiveDirectoryにLDAPでアクセスした時のありがちなエラー
http://dev.ariel-networks.com/Members/inoue/ad-and-ldap/
ActiveDirectory(以下AD)で、ユーザ作成時に「ユーザーは次回ログオン時にパスワード変更が必要」にチェックをつけると、LDAPで認証しようとした時に次のようなエラーがでます。
LDAPSEARCH(1) MAN
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 |
LDAPSEARCH(1) LDAPSEARCH(1) NAME ldapsearch - LDAP search tool SYNOPSIS ldapsearch [-n] [-u] [-v] [-t[t]] [-T path] [-F prefix] [-A] [-C] [-L[L[L]]] [-M[M]] [-S attribute] [-d debuglevel] [-f file] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-b searchbase] [-s base|one|sub|children] [-a never|always|search|find] [-P 2|3] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-l timelimit] [-z sizelimit] [-O security-prop- erties] [-I] [-Q] [-U authcid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] DESCRIPTION ldapsearch is a shell-accessible interface to the ldap_search_ext(3) library call. ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 4515. If not provided, the default filter, (objectClass=*), is used. If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is listed, all user attributes are returned. If + is listed, all operational attributes are returned. If no attrs are listed, all user attributes are returned. If only 1.1 is listed, no attributes will be returned. OPTIONS -n Show what would be done, but don’t actually perform the search. Useful for debugging in conjunction with -v. -u Include the User Friendly Name form of the Distinguished Name (DN) in the output. -v Run in verbose mode, with many diagnostics written to standard output. -t[t] A single -t writes retrieved non-printable values to a set of temporary files. This is useful for dealing with values con- taining non-character data such as jpegPhoto or audio. A second -t writes all retrieved values to files. -T path Write temporary files to directory specified by path (default: /var/tmp/) -F prefix URL prefix for temporary files. Default is file://path/ where path is /var/tmp/ or specified with -T. -A Retrieve attributes only (no values). This is useful when you just want to see if an attribute is present in an entry and are not interested in the specific values. -C Chase referrals (anonymously). -L Search results are display in LDAP Data Interchange Format detailed in ldif(5). A single -L restricts the output to LDIFv1. A second -L disables comments. A third -L disables printing of the LDIF version. The default is to use an extended version of LDIF. -M[M] Enable manage DSA IT control. -MM makes control critical. -S attribute Sort the entries returned based on attribute. The default is not to sort entries returned. If attribute is a zero-length string (""), the entries are sorted by the components of their Distin- guished Name. See ldap_sort(3) for more details. Note that ldapsearch normally prints out entries as it receives them. The use of the -S option defeats this behavior, causing all entries to be retrieved, then sorted, then printed. -d debuglevel Set the LDAP debugging level to debuglevel. ldapsearch must be compiled with LDAP_DEBUG defined for this option to have any effect. -f file Read a series of lines from file, performing one LDAP search for each line. In this case, the filter given on the command line is treated as a pattern where the first and only occurrence of %s is replaced with a line from file. Any other occurrence of the the % character in the pattern will be regarded as an error. Where it is desired that the search filter include a % charac- ter, the character should be encoded as \25 (see RFC 4515). If file is a single - character, then the lines are read from stan- dard input. -x Use simple authentication instead of SASL. -D binddn Use the Distinguished Name binddn to bind to the LDAP directory. -W Prompt for simple authentication. This is used instead of spec- ifying the password on the command line. -w passwd Use passwd as the password for simple authentication. -y passwdfile Use complete contents of passwdfile as the password for simple authentication. -H ldapuri Specify URI(s) referring to the ldap server(s); only the proto- col/host/port fields are allowed; a list of URI, separated by whitespace or commas is expected. -h ldaphost Specify an alternate host on which the ldap server is running. Deprecated in favor of -H. -p ldapport Specify an alternate TCP port where the ldap server is listen- ing. Deprecated in favor of -H. -b searchbase Use searchbase as the starting point for the search instead of the default. -s base|one|sub|children Specify the scope of the search to be one of base, one, sub, or children to specify a base object, one-level, subtree, or chil- dren search. The default is sub. Note: children scope requires LDAPv3 subordinate feature extension. -a never|always|search|find Specify how aliases dereferencing is done. Should be one of never, always, search, or find to specify that aliases are never dereferenced, always dereferenced, dereferenced when searching, or dereferenced only when locating the base object for the search. The default is to never dereference aliases. -P 2|3 Specify the LDAP protocol version to use. -e [!]ext[=extparam] -E [!]ext[=extparam] Specify general extensions with -e and search extensions with -E. ´!´ indicates criticality. General extensions: [!]assert=<filter> (an RFC 4515 Filter) [!]authzid=<authzid> ("dn:<dn>" or "u:<user>") [!]manageDSAit [!]noop ppolicy [!]postread[=<attrs>] (a comma-separated attribute list) [!]preread[=<attrs>] (a comma-separated attribute list) abandon, cancel (SIGINT sends abandon/cancel; not really controls) Search extensions: [!]domainScope (domain scope) [!]mv=<filter> (matched values filter) [!]pr=<size>[/prompt|noprompt] (paged results/prompt) [!]subentries[=true|false] (subentries) [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly) rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist) -l timelimit wait at most timelimit seconds for a search to complete. A timelimit of 0 (zero) or none means no limit. A timelimit of max means the maximum integer allowable by the protocol. A server may impose a maximal timelimit which only the root user may override. -z sizelimit retrieve at most sizelimit entries for a search. A sizelimit of 0 (zero) or none means no limit. A sizelimit of max means the maximum integer allowable by the protocol. A server may impose a maximal sizelimit which only the root user may override. -O security-properties Specify SASL security properties. -I Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed. -Q Enable SASL Quiet mode. Never prompt. -U authcid Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used. -R realm Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used. -X authzid Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username> -Y mech Specify the SASL mechanism to be used for authentication. If it’s not specified, the program will choose the best mechanism the server knows. -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be suc- cessful. OUTPUT FORMAT If one or more entries are found, each entry is written to standard output in LDAP Data Interchange Format or ldif(5): version: 1 # bjensen, example, net dn: uid=bjensen,dc=example,dc=net objectClass: person objectClass: dcObject uid: bjensen cn: Barbara Jensen sn: Jensen ... If the -t option is used, the URI of a temporary file is used in place of the actual value. If the -A option is given, only the "attribute- name" part is written. EXAMPLE The following command: ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber will perform a subtree search (using the default search base and other parameters defined in ldap.conf(5)) for entries with a surname (sn) of smith. The common name (cn), surname (sn) and telephoneNumber values will be retrieved and printed to standard output. The output might look something like this if two entries are found: dn: uid=jts,dc=example,dc=com cn: John Smith cn: John T. Smith sn: Smith sn;lang-en: Smith sn;lang-de: Schmidt telephoneNumber: 1 555 123-4567 dn: uid=sss,dc=example,dc=com cn: Steve Smith cn: Steve S. Smith sn: Smith sn;lang-en: Smith sn;lang-de: Schmidt telephoneNumber: 1 555 765-4321 The command: ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio will perform a subtree search using the default search base for entries with user id of "xyz". The user friendly form of the entry’s DN will be output after the line that contains the DN itself, and the jpegPhoto and audio values will be retrieved and written to temporary files. The output might look like this if one entry with one value for each of the requested attributes is found: dn: uid=xyz,dc=example,dc=com ufn: xyz, example, com audio:< file:///tmp/ldapsearch-audio-a19924 jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a19924 This command: ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description will perform a one-level search at the c=US level for all entries whose organization name (o) begins begins with University. The organization name and description attribute values will be retrieved and printed to standard output, resulting in output similar to this: dn: o=University of Alaska Fairbanks,c=US o: University of Alaska Fairbanks description: Preparing Alaska for a brave new yesterday description: leaf node only dn: o=University of Colorado at Boulder,c=US o: University of Colorado at Boulder description: No personnel information description: Institution of education and research dn: o=University of Colorado at Denver,c=US o: University of Colorado at Denver o: UCD o: CU/Denver o: CU-Denver description: Institute for Higher Learning and Research dn: o=University of Florida,c=US o: University of Florida o: UFl description: Warper of young minds ... DIAGNOSTICS Exit status is zero if no errors occur. Errors result in a non-zero exit status and a diagnostic message being written to standard error. SEE ALSO ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1), ldap.conf(5), ldif(5), ldap(3), ldap_search_ext(3), ldap_sort(3) AUTHOR The OpenLDAP Project <http://www.openldap.org/> ACKNOWLEDGEMENTS OpenLDAP is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). OpenLDAP is derived from University of Michigan LDAP 3.3 Release. OpenLDAP 2.3.43 2008/07/16 LDAPSEARCH(1) |