ldapsearch on HP-UX 11.31 to return recursive Windows AD membership

by ‎12-14-2011 07:59 AM - edited ‎12-09-2011 03:31 PM

Symptoms

Diagnosis

First, get LDAP-UX configured correctly. I had this working with a Windows Server 2008 R2 AD server and SSL. You can also set standard variables in /opt/iexpress/openldap/etc/openldap/ldap.conf such as BASE and URI so that you don't need to keep including these variables in LDAP commands.

Solution

Since you log into the HP-UX server using the Active Directory “uid” or “sAMAccountName” (e.g. dvn) and not the AD Distinguished Name (DN), you need to first query AD for the DN, and then use that result for the 2nd ldapsearch command.

 

To determine the login name, you can get this from the HP-UX ENV environment or, “id” command. In all cases, your program is looking for the “dn:” result value and ignoring everything else.

 

/usr/bin/ldapsearch -D 'CN=<username>,OU=<somewhere>,DC=iam,DC=here,DC=com' -w '<password>' uid=dvn DN

 

/usr/bin/ldapsearch -D 'CN=<username>,OU=<somewhere>,DC=iam,DC=here,DC=com' -w '<password>' -x '(member:1.2.840.113556.1.4.1941:=CN=<username>,OU=<somewhere>,OU=<somewhere>,DC=iam,DC=here,DC=com)' sAMAccountName