I am using ldapsearch on a debian 9 Linux box to query a MS Active Directory. I would like to query/find all users in my group "mygroupname". The command
ldapsearch -o ldif-wrap=no -xWLLL -D "myaccount" -h mydomain -b "ou=user,dc=mydc,dc=com" "cn=mygroupname" member
has the following output:
dn: CN=mygroupname,OU=user,DC=mydc,DC=com
member: CN=Paula Normal,OU=whatever,OU=...,OU=...,OU=...,DC=mydc,DC=com
member:: Q049QmV0dGluYSBUw7Zs...................9nbmUsT1U9RGV1dHNjwdGEsREM9Y29t
member: CN=Peter Testman,OU=whatever2,OU=...,OU=...,OU=...,DC=mydc,DC=com
...
I compared the output with the AD-GUI. The the second entry should be another valid user, but the output is unexpected and unreadable. The CN,OU,DC information is missing. I found out that the strange entries are valid, but are base64-encoded.
Where is the fault? Is there any corruption in the AD? Is my query command wrong? Why are some entries base64-encoded. How to get the right output?
Your command-line
explicitly limits the attributes requested in the search to member.
Simply try add the wanted attribute names as additional command-line args:
See also: ldapsearch(1)
Furthermore you should learn about LDIF syntax (see RFC 2849) which is supposed to be ASCII-clean. The two double-colons after the attribute type name means that the value was base-encoded, e.g. because of NON-ASCII char in a name. Use a decent LDIF module to decode ldapsearch output or better use an LDAP module for your favourite scripting language.
The reason for the unexpected output is a NON-ASCII char in the cn-name. The line starting with "member:: " indicates a base64-encoded value, which can be decoded (by e.g.
echo "$value" | base64 -d -)The search results of ldapsearch are displayed using an extended version of LDIF.
A quick workaround to receive a readable output could be made by using a wrapper like
Seen in this question.