Accessing AD from UNIX machines

sayali k sayali_s_kulkarni at yahoo.co.in
Mon Jul 31 23:37:22 EDT 2006


Thanks a lot Mike,
  I will try out both the options. But I feel using C with OpenLDAP will be a more comfortable option for me. 
  But thanks a lot for suggesting the PHP option as well.
  Really appreciate the kind of response I have been getting on this.
   
  Warm regards,
  Sayali

Michael B Allen <mba2000 at ioplex.com> wrote:
  On Mon, 31 Jul 2006 09:35:12 +0100 (BST)
sayali k wrote:

> Hi all,
> I wanted to know some programming technique using which it would be possible to access the Active Directory users/groups and other details from UNIX machine. 
> I would like to write a small C/C++ program which would do this, like in case of Java, JNDI can be used to connect to AD using LDAP and then access the objects in AD.

Note: Active Directory is a KDC and an LDAP service. The two are tightly
coupled but your question is more of an LDAP question than it is a
Kerberos one. But still, I'll answer because I have a neat suggestion.

PHP is actually a really nice language for UNIX scripting. Here's a
script that will connect to AD and retrieve data for all users and print
their names:

#!/usr/bin/php

$ldap = ldap_connect("ts0.foo.net");
if ($ldap) {
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if (ldap_sasl_bind($ldap)) {
$srch = ldap_search($ldap, "dc=win,dc=net", "objectClass=user");
if ($srch) {
$info = ldap_get_entries($ldap, $srch);
for ($i = 0; $i < $info["count"]; $i++) {
echo $info[$i]["cn"][0] . "\n";
}
echo "count: " . $info["count"] . "\n";
} else {
echo "LDAP Error: " . ldap_error($ldap) . "\n";
}
} else {
echo "LDAP Error: " . ldap_error($ldap) . "\n";
}

ldap_close($ldap);
} else {
echo "Error: ldap_connect\n";
}
?>

There's a catch though. The stock php_ldap package on CentOS wasn't
compiled --with-ldap-sasl. The fix isn't too bad though. For CentOS
I just downloaded the PHP .src.rpm, installed it and then edited the
SPECS/php.spec file so that the build() function has --with-ldap-sasl
like shown below:

481 --with-xml \
482 --with-ldap-sasl \ <---- add this line
483 $*
484 if test $? != 0; then

Then I rebuilt with:

$ rpmbuild -bb SPECS/php.spec

[you'll need to take a long nap here]

and upgraded just the php-ldap rpm.

Otherwise, if you want C, use OpenLDAP's client API.

Mike

-- 
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/



- Sayali
 		
---------------------------------
 Try the all-new Yahoo! Mail . "The New Version is radically easier to use" – The Wall Street Journal


More information about the Kerberos mailing list