ldapsearch to find DN for a user

cchart3 · July 26, 2010, 1:05pm

How can I do a ldapsearch to find a DN for a user when I know the exact cn for that user out of active directory.

I have tried several different commands (hundreds) but need the -b with the full dn to perform the search using ldapsearch from AIX. I am trying to find the OU for a user and the sAMAccountName. Our user are in several different OU's.

example that works:

ldapsearch -h something.acorp.com -p 389 -D "cn=${USER},ou=RealOU,DC=something,DC=acorp,DC=com" -w "${PW}" -s sub -b "cn=${SEARCH_USER},ou=UsersRealOU,DC
=something,DC=acorp,DC=com" "cn=*"

example that does not work (one of many):

ldapsearch -h something.acorp.com -p 389 -D "cn=${USER},ou=RealOU,DC=something,DC=acorp,DC=com" -w "${PW}" -s sub "cn=${SEARCH_USER}"

TRB · July 26, 2010, 5:08pm

How about something like this... it searches from the TOP of the
tree (i.e. dc=something,dc=acorp,dc=com) and searches for a
"user" with a same samaccountname equal to "$search_name":

ldapsearch \
           -H ldap://something.acorp.com \
           -b dc=something,dc=acorp,dc=com \
           -w my_passwd                             \
           -D  $MY_DISTINGUISHED_NAME   \
           '(&(objectclass=user)(samaccountname=$search_name))'\
            DN

cchart3 · July 27, 2010, 4:45am

maybe I am missing something. I do not want to put in a DN in the search portion, I am looking for the DN . Or I am at least looking for OU portiton that is part of the DN, and that part is different for each user.

Also running your query in AIX I get this error:

scope is required for a null based search.
Sends a search request to an LDAP server.
usage:
    ldapsearch [-b basedn] [options] filter [attributes...]
where:
        basedn:     base dn for search
                    (optional if LDAP_BASEDN set in environment)
        filter:     LDAP search filter
        attributes: whitespace-separated list of attributes to retrieve
                    (if no attribute list is specified, all are retrieved)

TRB · July 27, 2010, 11:10am

DN, in my previous example, is not part of the search, DN is the attribute you want returned on any object that satisfies the search.

If you do NOT specify 'any' attributes, you will get 'all' attributes back.

I do see that I made a mistake in translating from "my script" to
the example script ... by using the single quotes, instead of double quotes.

Here's what I'm using which works. It requests the samaccountname and DN be returned on any object that matches the search:

/usr/local/dms/openldap-2.2.13/bin/ldapsearch -v -x -W \
       -H ldap://my_ad.domain_controller_name.mycorp.com       \
       -b dc=mycorp,dc=com                                                 \
       -D cn=my_samaccoutname,cn=users,dc=mycorp,dc=com   \
        "(&(objectclass=user)(samaccountname=$search_user))"   \
        DN samaccount

You may be using a newer version of openldap than I am,
and it may be "forcing" you to specify a "scope". Just add

-s sub

following the

-v

in my example above.

NOTE: The example above will "prompt" you for your
active-directory password.