Accessing AD from UNIX machines - Kerberos

This is a discussion on Accessing AD from UNIX machines - Kerberos ; Hi all, I wanted to know some programming technique using which it would be possible to access the Active Directory users/groups and other details from UNIX machine. I would like to write a small C/C++ program which would do this, ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Accessing AD from UNIX machines

  1. Accessing AD from UNIX machines

    Hi all,
    I wanted to know some programming technique using which it would be possible to access the Active Directory users/groups and other details from UNIX machine.
    I would like to write a small C/C++ program which would do this, like in case of Java, JNDI can be used to connect to AD using LDAP and then access the objects in AD.

    Thanks a lot for all the help I am getting here.

    Regards,
    Sayali


    ---------------------------------
    The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Accessing AD from UNIX machines

    Have a look at the ldapsearch source of openldap. It should contain all you
    need. I use it on my Suse Linux machine against AD.

    Markus

    "sayali k" wrote in message
    news:20060731083512.13798.qmail@web7603.mail.in.ya hoo.com...
    > Hi all,
    > I wanted to know some programming technique using which it would be
    > possible to access the Active Directory users/groups and other details
    > from UNIX machine.
    > I would like to write a small C/C++ program which would do this, like in
    > case of Java, JNDI can be used to connect to AD using LDAP and then access
    > the objects in AD.
    >
    > Thanks a lot for all the help I am getting here.
    >
    > Regards,
    > Sayali
    >
    >
    > ---------------------------------
    > The all-new Yahoo! Mail goes wherever you go - free your email address
    > from your Internet provider.
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Accessing AD from UNIX machines

    On Mon, 31 Jul 2006 09:35:12 +0100 (BST)
    sayali k wrote:

    > Hi all,
    > I wanted to know some programming technique using which it would be possible to access the Active Directory users/groups and other details from UNIX machine.
    > I would like to write a small C/C++ program which would do this, like in case of Java, JNDI can be used to connect to AD using LDAP and then access the objects in AD.


    Note: Active Directory is a KDC and an LDAP service. The two are tightly
    coupled but your question is more of an LDAP question than it is a
    Kerberos one. But still, I'll answer because I have a neat suggestion.

    PHP is actually a really nice language for UNIX scripting. Here's a
    script that will connect to AD and retrieve data for all users and print
    their names:

    #!/usr/bin/php

    $ldap = ldap_connect("ts0.foo.net");
    if ($ldap) {
    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
    if (ldap_sasl_bind($ldap)) {
    $srch = ldap_search($ldap, "dc=win,dc=net", "objectClass=user");
    if ($srch) {
    $info = ldap_get_entries($ldap, $srch);
    for ($i = 0; $i < $info["count"]; $i++) {
    echo $info[$i]["cn"][0] . "\n";
    }
    echo "count: " . $info["count"] . "\n";
    } else {
    echo "LDAP Error: " . ldap_error($ldap) . "\n";
    }
    } else {
    echo "LDAP Error: " . ldap_error($ldap) . "\n";
    }

    ldap_close($ldap);
    } else {
    echo "Error: ldap_connect\n";
    }
    ?>

    There's a catch though. The stock php_ldap package on CentOS wasn't
    compiled --with-ldap-sasl. The fix isn't too bad though. For CentOS
    I just downloaded the PHP .src.rpm, installed it and then edited the
    SPECS/php.spec file so that the build() function has --with-ldap-sasl
    like shown below:

    481 --with-xml \
    482 --with-ldap-sasl \ <---- add this line
    483 $*
    484 if test $? != 0; then

    Then I rebuilt with:

    $ rpmbuild -bb SPECS/php.spec

    [you'll need to take a long nap here]

    and upgraded just the php-ldap rpm.

    Otherwise, if you want C, use OpenLDAP's client API.

    Mike

    --
    Michael B Allen
    PHP Extension for SSO w/ Windows Group Authorization
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Accessing AD from UNIX machines

    Thanks a lot Mike,
    I will try out both the options. But I feel using C with OpenLDAP will be a more comfortable option for me.
    But thanks a lot for suggesting the PHP option as well.
    Really appreciate the kind of response I have been getting on this.

    Warm regards,
    Sayali

    Michael B Allen wrote:
    On Mon, 31 Jul 2006 09:35:12 +0100 (BST)
    sayali k wrote:

    > Hi all,
    > I wanted to know some programming technique using which it would be possible to access the Active Directory users/groups and other details from UNIX machine.
    > I would like to write a small C/C++ program which would do this, like in case of Java, JNDI can be used to connect to AD using LDAP and then access the objects in AD.


    Note: Active Directory is a KDC and an LDAP service. The two are tightly
    coupled but your question is more of an LDAP question than it is a
    Kerberos one. But still, I'll answer because I have a neat suggestion.

    PHP is actually a really nice language for UNIX scripting. Here's a
    script that will connect to AD and retrieve data for all users and print
    their names:

    #!/usr/bin/php

    $ldap = ldap_connect("ts0.foo.net");
    if ($ldap) {
    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
    if (ldap_sasl_bind($ldap)) {
    $srch = ldap_search($ldap, "dc=win,dc=net", "objectClass=user");
    if ($srch) {
    $info = ldap_get_entries($ldap, $srch);
    for ($i = 0; $i < $info["count"]; $i++) {
    echo $info[$i]["cn"][0] . "\n";
    }
    echo "count: " . $info["count"] . "\n";
    } else {
    echo "LDAP Error: " . ldap_error($ldap) . "\n";
    }
    } else {
    echo "LDAP Error: " . ldap_error($ldap) . "\n";
    }

    ldap_close($ldap);
    } else {
    echo "Error: ldap_connect\n";
    }
    ?>

    There's a catch though. The stock php_ldap package on CentOS wasn't
    compiled --with-ldap-sasl. The fix isn't too bad though. For CentOS
    I just downloaded the PHP .src.rpm, installed it and then edited the
    SPECS/php.spec file so that the build() function has --with-ldap-sasl
    like shown below:

    481 --with-xml \
    482 --with-ldap-sasl \ <---- add this line
    483 $*
    484 if test $? != 0; then

    Then I rebuilt with:

    $ rpmbuild -bb SPECS/php.spec

    [you'll need to take a long nap here]

    and upgraded just the php-ldap rpm.

    Otherwise, if you want C, use OpenLDAP's client API.

    Mike

    --
    Michael B Allen
    PHP Extension for SSO w/ Windows Group Authorization
    http://www.ioplex.com/



    - Sayali

    ---------------------------------
    Try the all-new Yahoo! Mail . "The New Version is radically easier to use" The Wall Street Journal
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Accessing AD from UNIX machines

    Thanks a lot Markus,
    Will definitely have a look at that in more details. I would be using this on redhat linux, IBM AIX, Sun Solaris and other such UNIX flavors.

    Thanks once again for all the help.

    Warm regards,
    Sayali

    Markus Moeller wrote:
    Have a look at the ldapsearch source of openldap. It should contain all you
    need. I use it on my Suse Linux machine against AD.

    Markus

    "sayali k" wrote in message
    news:20060731083512.13798.qmail@web7603.mail.in.ya hoo.com...
    > Hi all,
    > I wanted to know some programming technique using which it would be
    > possible to access the Active Directory users/groups and other details
    > from UNIX machine.
    > I would like to write a small C/C++ program which would do this, like in
    > case of Java, JNDI can be used to connect to AD using LDAP and then access
    > the objects in AD.
    >
    > Thanks a lot for all the help I am getting here.
    >
    > Regards,
    > Sayali
    >
    >
    > ---------------------------------
    > The all-new Yahoo! Mail goes wherever you go - free your email address
    > from your Internet provider.
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos



    - Sayali

    ---------------------------------
    Now you can scan emails quickly with a reading pane. Get the new Yahoo! Mail.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Accessing AD from UNIX machines

    Keep in mind that you need sasl with GSSAPI/Kerberos support for openldap.

    Markus

    "sayali k" wrote in message
    news:20060801034017.35847.qmail@web7609.mail.in.ya hoo.com...
    > Thanks a lot Markus,
    > Will definitely have a look at that in more details. I would be using
    > this on redhat linux, IBM AIX, Sun Solaris and other such UNIX flavors.
    >
    > Thanks once again for all the help.
    >
    > Warm regards,
    > Sayali
    >
    > Markus Moeller wrote:
    > Have a look at the ldapsearch source of openldap. It should contain all
    > you
    > need. I use it on my Suse Linux machine against AD.
    >
    > Markus
    >
    > "sayali k" wrote in message
    > news:20060731083512.13798.qmail@web7603.mail.in.ya hoo.com...
    >> Hi all,
    >> I wanted to know some programming technique using which it would be
    >> possible to access the Active Directory users/groups and other details
    >> from UNIX machine.
    >> I would like to write a small C/C++ program which would do this, like in
    >> case of Java, JNDI can be used to connect to AD using LDAP and then
    >> access
    >> the objects in AD.
    >>
    >> Thanks a lot for all the help I am getting here.
    >>
    >> Regards,
    >> Sayali
    >>
    >>
    >> ---------------------------------
    >> The all-new Yahoo! Mail goes wherever you go - free your email address
    >> from your Internet provider.
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >
    > - Sayali
    >
    > ---------------------------------
    > Now you can scan emails quickly with a reading pane. Get the new Yahoo!
    > Mail.
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




  7. Re: Accessing AD from UNIX machines

    On Tuesday 01 August 2006 05:01, Michael B Allen wrote:

    > Note: Active Directory is a KDC and an LDAP service. The two are tightly
    > coupled but your question is more of an LDAP question than it is a
    > Kerberos one. But still, I'll answer because I have a neat suggestion.
    >
    > PHP is actually a really nice language for UNIX scripting.


    Another idea to do this is using Perl, doing the (authentication)bind
    by Kerberos against AD.
    Cyrus-SASL is *not* needed.

    Example:


    #! /usr/bin/perl -w

    use strict;

    use Net::LDAP 0.33;
    use Authen::SASL 2.10;
    my $sasl = Authen::SASL->new( mechanism => 'GSSAPI' );
    my $host = $ARGV[0] || die "\n\nusage: $0 ldapserver \n\n";
    my $ldap = Net::LDAP->new(
    $host,
    onerror => 'die',
    ) or die "Cannot connect to LDAP host '$host'";

    my $dse = $ldap->root_dse();
    $dse->supported_sasl_mechanism ( 'GSSAPI' ) || die "\n sorry, $host does not
    support GSSAPI...\n";;
    eval {
    $ldap->bind( sasl => $sasl );
    } or die $@, $sasl->error(), "\n Terminating.\n";

    print "\n SASL-bind to $host successfull...\n\n";


    More Details on


    Achim
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread