Accessing AD from UNIX machines

Michael B Allen mba2000 at ioplex.com
Mon Jul 31 23:01:48 EDT 2006 

On Mon, 31 Jul 2006 09:35:12 +0100 (BST)
sayali k <sayali_s_kulkarni at yahoo.co.in> wrote:

> Hi all,
>   I wanted to know some programming technique using which it would be possible to access the Active Directory users/groups and other details from UNIX machine. 
>   I would like to write a small C/C++ program which would do this, like in case of Java, JNDI can be used to connect to AD using LDAP and then access the objects in AD.

Note: Active Directory is a KDC and an LDAP service. The two are tightly
coupled but your question is more of an LDAP question than it is a
Kerberos one. But still, I'll answer because I have a neat suggestion.

PHP is actually a really nice language for UNIX scripting. Here's a
script that will connect to AD and retrieve data for all users and print
their names:

  #!/usr/bin/php
 
  <?php
  $ldap = ldap_connect("ts0.foo.net");
  if ($ldap) {
          ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
          ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
          if (ldap_sasl_bind($ldap)) {
                  $srch = ldap_search($ldap, "dc=win,dc=net", "objectClass=user");
                  if ($srch) {
                          $info = ldap_get_entries($ldap, $srch);
                          for ($i = 0; $i < $info["count"]; $i++) {
                                  echo $info[$i]["cn"][0] . "\n";
                          }
                          echo "count: " . $info["count"] . "\n";
                  } else {
                          echo "LDAP Error: " . ldap_error($ldap) . "\n";
                  }
          } else {
                  echo "LDAP Error: " . ldap_error($ldap) . "\n";
          }
  
          ldap_close($ldap);
  } else {
          echo "Error: ldap_connect\n";
  }
  ?>

There's a catch though. The stock php_ldap package on CentOS wasn't
compiled --with-ldap-sasl. The fix isn't too bad though. For CentOS
I just downloaded the PHP .src.rpm, installed it and then edited the
SPECS/php.spec file so that the build() function has --with-ldap-sasl
like shown below:

  481     --with-xml \
  482 --with-ldap-sasl \         <---- add this line
  483     $*
  484 if test $? != 0; then

Then I rebuilt with:

  $ rpmbuild -bb SPECS/php.spec

[you'll need to take a long nap here]

and upgraded just the php-ldap rpm.

Otherwise, if you want C, use OpenLDAP's client API.

Mike

-- 
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/

More information about the Kerberos mailing list