[KLUG Members] Managing AD from Linux?
Adam Tauno Williams
adam at morrison-ind.com
Fri Dec 30 13:24:08 EST 2005
On Thu, 2005-12-29 at 21:42 -0500, Bruce Smith wrote:
> > The ldapsearch and ldapmodify commands on SuSe should be able to make a
> > Digest-MD5 bind without any setup fuss.
> > If you query the rootDSE of the AD controller what do you see?
> Like this?
Yep.
> ldapsearch -h tcad -b '' -x -LLL -s base 'objectclass=*'
> dn:
> currentTime: 20051230023817.0Z
> subschemaSubentry:
> CN=Aggregate,CN=Schema,CN=Configuration,DC=tcc,DC=armintl,DC=com
> dsServiceName: CN=NTDS
> Settings,CN=TCAD,CN=Servers,CN=Default-First-Site-Name,
> CN=Sites,CN=Configuration,DC=tcc,DC=armintl,DC=com
> supportedControl: 1.2.840.113556.1.4.319
The meaning of most/some of these 1.2.840.113556.1.4.x controls can be
found here http://www.alvestrand.no/objectid/1.2.840.113556.1.4.html
Generally M$'s documentation in this regard stinks.
> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 2.16.840.1.113730.3.4.10
These are netscape controls -
http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.html
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
Yea, it says it supports 2, but it won't let you do much via LDAPv2.
Specify -P3 in order to make sure you are using version 3.
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
It supports DIGEST-MD5 so it is worth trying an ldapmodify with an MD5
bind (be sure to use encryption). Level of access in AD is often
related to the 'strength' of your connection.
> supportedCapabilities: 1.2.840.113556.1.4.800
> supportedCapabilities: 1.2.840.113556.1.4.1670
> supportedCapabilities: 1.2.840.113556.1.4.1791
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20051230/7273c30f/attachment.bin
More information about the Members
mailing list