Snooping in the active directory

Snooping in the active directory

Every now and again one finds oneself on UNIX💪 station connected to a Mickeysoft™ network, wanting to search the directory.

Step one is to know the name of the domain. This may or may not be related to the output of e.g.:

grep ^search /etc/resolv.conf

Note that the domain does not necessarily consist of two parts – in the case that prompted this writing, the domain had three.

Now we need to discover the domain controller:

dig _ldap._tcp.domain.tld -t srv

… substituting the domain.tld part for whatever is appropriate for the real-world scenario one finds oneself in.

This may yield a lot of output, but odds are that the DC is among of the listed servers. Experiment!

Now do a search for yourself:

ldapsearch -x -H ldaps://<the-server> \
	-D 'you@the-domain.tld' \
	-W \
	-b 'dc=the-domain,dc=tld' \
	'samAccountName=<your-username>'

Yay!

Fin.