I am using ldapsearch from OpenLDAP tools to search our corporate Active Directory for my email and phone number. This query is a test to ensure that I can authenticate against the domain so I can set up a linux wiki with NTLM authentication. My theory is that if I can successfully query the AD for information, then I am a step closer to getting my wiki to authenticate against AD (I have instructions to set up moin wiki under ActiveDirectory).
The problem is that I can't seem to get the ldapsearch query right. I have seen many tutorials on the net that indicate that -D should be something like -D "Americas\John_Marshall"; however, I keep getting ldap_bind: Invalid credentials (49) error messages when I use Americas\John_Marshall. The only time I get sensical results is when I query with the parameters below. However, even then, I can't figure out how to get email and phone number.
[John_Marshall@WN7-BG3YSM1 ~]$ ldapsearch -x -h 10.1.1.1 \
-b "cn=Users,dc=Americas" mail telephonenumber -D "cn=John_Marshall,dc=Americas"
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=Americas> with scope subtree
# filter: (objectclass=*)
# requesting: mail telephonenumber -D cn=John_Marshall,dc=Americas
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
[John_Marshall@WN7-BG3YSM1 ~]$
Can someone give me pointers on what I'm doing wrong with the ldapsearch query above? Our AD ldap server is 10.1.1.1 and the AD domain is "Americas".
Steps to final solution (the actual answer is in Wolfgang's response):
Using information in the comments and Wolfgang's answer, I was able to cobble the solution together but it wasn't pretty getting there...
ldp.exe wasn't very useful to me; however, I started sniffing the servers that Outlook authenticated against and substituted that IP address in my queries. Suddenly I was getting correct authentication, and ran a query using ldapsearch -x -h <new_ip_addr> -D "Americas\John_Marshall" -W -b "dc=MyCompanyName,dc=com". The results of this query (which was basically a raw data dump of much of our corporate LDAP directory) allowed me to refine the -b parameter (search base).
Well, there are a few things that could be wrong with this:
You are specifying simple authentication, but you are not providing a password and you are not telling ldapsearch either to collect a password from the command line. Does the user John_Marshall not have a password? If he does have one, it has to be provided somehow. Either specify
-w <passsword>or-W(to enter a password at a prompt).Is the users binddn really
cn=John_Marshall,dc=Americas? In our AD, just as an example, my own binddn would be "dn: CN=Wolfgang Schulze-Zachau,CN=Users,DC=aminocom,DC=com", i.e. there is no underscore between first name and surnameA binddn of "
cn=John_Marshall,dc=Americas" is possible, but looks a bit short to me. Of course, this all depends on how your AD is configured. Can you verify that this really is the DN for that user? When you look at AD Users and Computers, what is the complete list of tree items leading to that user?If you don't specify a filter, you'll get a list of all items that are in the searchbase. That could be a very long list.
OP Edit:
The correct incantation that worked was: