Accessing AD from UNIX machines
Michael B Allen
mba2000 at ioplex.com
Mon Jul 31 23:01:48 EDT 2006
On Mon, 31 Jul 2006 09:35:12 +0100 (BST)
sayali k <sayali_s_kulkarni at yahoo.co.in> wrote:
> Hi all,
> I wanted to know some programming technique using which it would be possible to access the Active Directory users/groups and other details from UNIX machine.
> I would like to write a small C/C++ program which would do this, like in case of Java, JNDI can be used to connect to AD using LDAP and then access the objects in AD.
Note: Active Directory is a KDC and an LDAP service. The two are tightly
coupled but your question is more of an LDAP question than it is a
Kerberos one. But still, I'll answer because I have a neat suggestion.
PHP is actually a really nice language for UNIX scripting. Here's a
script that will connect to AD and retrieve data for all users and print
their names:
#!/usr/bin/php
<?php
$ldap = ldap_connect("ts0.foo.net");
if ($ldap) {
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if (ldap_sasl_bind($ldap)) {
$srch = ldap_search($ldap, "dc=win,dc=net", "objectClass=user");
if ($srch) {
$info = ldap_get_entries($ldap, $srch);
for ($i = 0; $i < $info["count"]; $i++) {
echo $info[$i]["cn"][0] . "\n";
}
echo "count: " . $info["count"] . "\n";
} else {
echo "LDAP Error: " . ldap_error($ldap) . "\n";
}
} else {
echo "LDAP Error: " . ldap_error($ldap) . "\n";
}
ldap_close($ldap);
} else {
echo "Error: ldap_connect\n";
}
?>
There's a catch though. The stock php_ldap package on CentOS wasn't
compiled --with-ldap-sasl. The fix isn't too bad though. For CentOS
I just downloaded the PHP .src.rpm, installed it and then edited the
SPECS/php.spec file so that the build() function has --with-ldap-sasl
like shown below:
481 --with-xml \
482 --with-ldap-sasl \ <---- add this line
483 $*
484 if test $? != 0; then
Then I rebuilt with:
$ rpmbuild -bb SPECS/php.spec
[you'll need to take a long nap here]
and upgraded just the php-ldap rpm.
Otherwise, if you want C, use OpenLDAP's client API.
Mike
--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
More information about the Kerberos
mailing list