Snooping in the active directory
Snooping in the active directory
Every now and again one finds oneself on UNIX💪 station connected to a Mickeysoft™ network, wanting to search the directory.
Step one is to know the name of the domain. This may or may not be related to the output of e.g.:
grep ^search /etc/resolv.conf
Note that the domain does not necessarily consist of two parts – in the case that prompted this writing, the domain had three.
Now we need to discover the domain controller:
dig _ldap._tcp.domain.tld -t srv
… substituting the domain.tld
part for whatever is appropriate for the real-world scenario one finds oneself in.
This may yield a lot of output, but odds are that the DC is among of the listed servers. Experiment!
Now do a search for yourself:
ldapsearch -x -H ldaps://<the-server> \ -D 'you@the-domain.tld' \ -W \ -b 'dc=the-domain,dc=tld' \ 'samAccountName=<your-username>'
Yay!
Fin.