[KLUG Members] Managing AD from Linux?

[Adam Tauno Williams]

On Thu, 2005-12-29 at 21:42 -0500, Bruce Smith wrote:
> > The ldapsearch and ldapmodify commands on SuSe should be able to make a 
> > Digest-MD5 bind without any setup fuss.
> > If you query the rootDSE of the AD controller what do you see?
> Like this?

Yep.

>  ldapsearch -h tcad -b '' -x -LLL -s base 'objectclass=*'
> dn:
> currentTime: 20051230023817.0Z
> subschemaSubentry:
> CN=Aggregate,CN=Schema,CN=Configuration,DC=tcc,DC=armintl,DC=com
> dsServiceName: CN=NTDS
> Settings,CN=TCAD,CN=Servers,CN=Default-First-Site-Name,
>  CN=Sites,CN=Configuration,DC=tcc,DC=armintl,DC=com
> supportedControl: 1.2.840.113556.1.4.319

The meaning of most/some of these 1.2.840.113556.1.4.x controls can be
found here http://www.alvestrand.no/objectid/1.2.840.113556.1.4.html

Generally M$'s documentation in this regard stinks.

> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 2.16.840.1.113730.3.4.10

These are netscape controls -
http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.html

> supportedLDAPVersion: 3
> supportedLDAPVersion: 2

Yea, it says it supports 2, but it won't let you do much via LDAPv2.
Specify -P3 in order to make sure you are using version 3.

> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5

It supports DIGEST-MD5 so it is worth trying an ldapmodify with an MD5
bind (be sure to use encryption).  Level of access in AD is often
related to the 'strength' of your connection.

> supportedCapabilities: 1.2.840.113556.1.4.800
> supportedCapabilities: 1.2.840.113556.1.4.1670
> supportedCapabilities: 1.2.840.113556.1.4.1791

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20051230/7273c30f/attachment.bin