Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Net::LDAP and AD

by mce (Curate)
on Jun 27, 2006 at 13:14 UTC ( #557791=perlquestion: print w/ replies, xml ) Need Help??
mce has asked for the wisdom of the Perl Monks concerning the following question:

Hi All,
I am a great fan of Net::LDAP, and I wrote a nice synchronisation tool that synchronises groups in LDAP directories. For Example, from SUN1 to ADAM.

Now, we just found a problem that in Windows AD, users are a member of a group, without being an actual member attribute.
This is called the PrimaryGroupID, and in fact is a workaround for a bad design in AD. see this.
Does anyone have a workaround for this issue?
What I want is a routine that can be called to search the AD directory, and return a mapping for all users with their groups (or vise versa).
Of course, in perl, but that is obvious.

Many thanks,


---------------------------
Dr. Mark Ceulemans
Senior Consultant
BMC, Belgium

Comment on Net::LDAP and AD
Re: Net::LDAP and AD
by shmem (Canon) on Jun 27, 2006 at 13:32 UTC
    Now, we just found a problem that in Windows AD, users are a member of a group, without being an actual member attribute.
    You mean, the primary group is not visible in an LDAP query via the memberOf attribute of the user record? or is there no DN entry for the corresponding group? Or do the members not show up querying the group?

    oh, wait... (reading) ...

    Um, that should be straight forward. Get a list of the users, query their PrimaryGroupID, store that somewhere (in a hash? :-), see what's in memberOf, get the groupIds of the returned groups and determine the users primary group by comparing their PrimaryGroupId with the groupIds found. Windows AD should be querable (? queryable?) through port 3268 (or 3269 with TLS), I found the service behind the standard port 389 at times unreliable. There could be a maxRows limitation of an LDAP query to AD.

    --shmem

    _($_=" "x(1<<5)."?\n".q/)Oo.  G\        /
                                  /\_/(q    /
    ----------------------------  \__(m.====.(_("always off the crowd"))."
    ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}
      Um, that should be straight forward. Get a list of the users, query their PrimaryGroupID, store that somewhere (in a hash? :-), see what's in memberOf, get the groupIds of the returned groups and determine the users primary group by comparing their PrimaryGroupId with the groupIds found.
      That approach definitely works - I solved the same problem in javascript that way (although I don't have the code anymore).

      There could be a maxRows limitation of an LDAP query to AD.
      AD defaults to a page size of 1000 objects. You need to use the Net::LDAP::Control::Paged control to handle anything bigger than that. I have code returning tens of thousands of entries from AD on port 389 without a problem that way.

      --------------------------------------------------------------

      "If there is such a phenomenon as absolute evil, it consists in treating another human being as a thing."
      John Brunner, "The Shockwave Rider".

      Can you spare 2 minutes to help with my research? If so, please click here

Re: Net::LDAP and AD
by marto (Chancellor) on Jun 27, 2006 at 13:42 UTC
    Hi mce,

    "What I want is a routine that can be called to search the AD directory, and return a mapping for all users with their groups (or vise versa)."

    This is not a Net::LDAP solution, however you may wish to have a look at the source code from the Active Directory Cookbook. If you use it, you could buy a copy and do the author a favor :)

    Hope this helps.

    Martin
Re: Net::LDAP and AD
by strat (Canon) on Jun 28, 2006 at 09:11 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://557791]
Approved by polettix
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (13)
As of 2014-07-24 16:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (162 votes), past polls