4.5. Query Active Directory User
Prev 4. Query Examples Next

4.5. Query Active Directory User

The command below displays all attributes for each entry where all three simple filters are true, matching on attributes objectClass, givenName, and sn (surname). Filters like these would be expected to work in any common LDAP server product. 

ldapsearch \
    '( &
        (objectClass=person)
        (givenName=John)
        (sn=Doe)
    )' \
    '*' +

Common LDAP attributes related to persons are provided in RFC 4519.

Microsoft Active Directory will commonly have additional objectClass attributes with values user and organizationalPerson for users.

Microsoft maintains documentation with lists and descriptions of attributes. Note that the lists show CNs (common names), and the LDAP display name may differ. E.g., CN SAM-Account-Name corresponds to LDAP attribute sAMAccountName, and CN Is-Member-Of-DL corresponds to LDAP attribute memberOf. Below is a list of relevant links.

A command like the one below will list possible attributes for a user. 

ldapsearch \
    -b 'CN=Schema,CN=Configuration,DC=example,DC=com' \
    -s one \
    '( &
        (objectClass=classSchema)
        (cn=user)
    )' \
    '*' +

Some Microsoft Active Directory attributes are listed below.

manager

DN of person's manager.

memberOf

DN of a group of which the user is a member.

sAMAccountName

Logon name compatible with earlier versions of Microsoft Windows. E.g., jxd1234.

sAMAccountType

Values:

  • 0 (0x0): SAM_DOMAIN_OBJECT

  • 268435456 (0x10000000): SAM_GROUP_OBJECT

  • 268435457 (0x10000001): SAM_NON_SECURITY_GROUP_OBJECT

  • 536870912 (0x20000000): SAM_ALIAS_OBJECT

  • 536870913 (0x20000001): SAM_NON_SECURITY_ALIAS_OBJECT

  • 805306368 (0x30000000): SAM_USER_OBJECT

  • 805306368 (0x30000000): SAM_NORMAL_USER_ACCOUNT

  • 805306369 (0x30000001): SAM_MACHINE_ACCOUNT

  • 805306370 (0x30000002): SAM_TRUST_ACCOUNT

  • 1073741824 (0x40000000): SAM_APP_BASIC_GROUP

  • 1073741825 (0x40000001): SAM_APP_QUERY_GROUP

  • 2147483647 (0x7fffffff): SAM_ACCOUNT_TYPE_MAX

userPrincipalName

Internet-style login name. E.g., john_doe@example.com .

Targeting Microsoft Active Directory, the command below displays all attributes for each entry where both simple filters are true, matching on attributes sAMAccountType (805306368 --- SAM_NORMAL_USER_ACCOUNT) and sAMAccountName. 

ldapsearch \
    '( &
        (sAMAccountType=805306368)
        (sAMAccountName=jxd1234)
    )' \
    '*' +

Targeting Microsoft Active Directory, the command below displays all memberOf attributes for each entry where both simple filters are true, matching on attributes sAMAccountType (805306368 --- SAM_NORMAL_USER_ACCOUNT) and sAMAccountName. 

ldapsearch \
    '( &
        (sAMAccountType=805306368)
        (sAMAccountName=jxd1234)
    )' \
    memberOf

Targeting Microsoft Active Directory, a command like below lists SAM account names where the user is a member of a group with a DN of CN=some_group,OU=Application Access Groups,OU=Groups,DC=foo,DC=example,DC=com. Note that, because the value of memberOf is a DN, a wildcard cannot be used. And because Microsoft Active Directory does not support extensible conditions, it is not possible to filter on a part of the DN. 

ldapsearch \
    '( &
        (sAMAccountType=805306368)
        (memberOf=CN=SOME_GROUP_NAME,OU=Application Access Groups,OU=Groups,DC=foo,DC=example,DC=com)
    )' \
    sAMAccountName
Prev Up Next
4.4. Query groupOfNames Home | ToC 4.6. Query Active Directory Group