Interacting with Active Directory on the Mac
Did you ever have to interact with Active Directory on a MAC?
If yes, this post might be interesting for you. I am pretty new to the Mac and basic things I know how to do on Windows need some research to figure out. This time around I explore Active Directory/LDAP Server interactions.
- First, there is the Directory Utility on MacOS which can be quite useful.
- Second, there is Apache’s - Directory Studio - which is pretty amazing and feature rich.
- Third, you might want to write your own tools or scripts.
There are ldap commands that allow you to do most tasks in automated fashion.
ldapwhoami -x -Z -H ldaps://[your].[domain].[controller] -D email@example.com -W
To perform a search the ldapsearch command is useful:
ldapsearch -v -x -LLL -H ldaps://[your].[domain].[controller] -b OU=Users,OU=Managed,DC=[your],DC=[domain],DC=[controller] -D firstname.lastname@example.org -Z -W -s sub "(objectClass=user)" cn givenName sn pwdLastSet
To trust the certificate of the LDAP server look into updating krb5.confi/kerb.conf files accordingly.
One can pipe this into a file, let’s say users.ldif
There is a tool ldap2csv.sh (google for it) that can be used to convert the output to a csv file - I found this pretty useful.
cat users.ldif | ./ldap2csv.sh cn givenName sn pwdLastSet samAccountName
As part of the ldapsearch command replace
-s sub "(objectClass=user)"
-s sub -f searchfilter.filter "(cn=%s)"
The filter file (in above case searchfilter.filter) then just contains a list of names per line that will be substituted.