[jcifs] SMB URL and Active Directory.

Thu Dec 19 06:28:35 EST 2002

> > I use something like this:
> > (for host "ADserver.fully.qualified")
> > 
> > ldapsearch -h ADserver -x -D cn=Administrator,cn=Users,dc=ADserver,dc=fully,
> dc=qualified -W -b dc=ADserver,dc=fully,dc=qualified
> > 
> > This should prompt you for the administrator password and dump a whole lot of
> > AD/LDAP data. If the user name is invalid (for example if you forget the
> > "cn=Users" part) you might not get an error message but a very short data
> > dump. (as if you'd connect anonymously)
> > 
> > Hope this helps!
> 
> It does.  Thanks!
> 
> Is there a way to specify anonymous connections?  What information can I 
> get back from an anonymous query?

You can connect to the LDAP/AD server without specifying a "Bind DN" 
(LDAP-talk for username, I presume) with something like this:

ldapsearch -x -h ADserver -b dc=ADserver,dc=fully,dc=qualified 

This should not prompt for a password.

When I perform this on the test AD server here, I get a (fairly short) list,
instead of a complete dump of everything available in AD. By "fairly short"
I mean ~ 17000 lines (instead of 53000+ lines where the last lines read "Size
limit exceeded"). (But then again, this server has a fairly large AD tree). 

(sidenote: I notice I forgot to tell you to add '-s sub' to the huge
ldapsearch in the original post. This will yield a great deal more records
than if you leave it out)

As a matter of fact I just recently had to do AD-related work, and I had
to spend some time figuring out why I only got this short list of computer
names even if I (believed to have) had specified correct "bind DN". It took me
a few hours to realize i had missed the 'cn=Users' part of the
"cn=Administrator..." "bind DN". 

You might well be on your way to find what you're looking for; the
"short" list obtained by the "anonymous" search seems to mostly give 
records that have an 'objectClass' of 'dnsNode'. Some records have
in-addr.arpa "reverse DNS" style distinguished-names, others seem to have a 
distinguished-name based on the computer names in the domain. 
They also seem to have a 'dnsRecord' attribute which is by default exported
base64-encoded by ldapsearch, perhaps the IPv4 address or whatever can be 
decoded from this string?

I don't know if all hosts referenced in these dns style records gives you
the set of "servers in a domain", but then again I haven't researched this
pecularity of AD in depth.

It might also be of interest to know that you can attempt a logon to AD with
a username (ldap style, but you can find those by searching for nodes with a
matching 'sAMAccountName' if you know the "login" username) and password,
which works fairly well as an authentication test / password validation test.

Good luck in your research!