• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2818
  • Last Modified:

ldap query for multiple domains

hello all,
we have a single forest two domains two sites 1 DC(win2k3) in each site.we also have 1 exchnage server on each site hundling its own domain
 we are trying to implement the following:
we would like to run an LDAP query(internal query) on one server using port 3268 so we could get a reply with all the users email address within those two domains.
we were trying to query using "ldap admin 3" application using the following string(filter)
(&(|(objectClass=User)(objectClass=person)(objectclass=group))(mail=*)(!(userAccountControl:dn:1.2.840.113556.1.4.803:=2))).
we could perform the query with no error to each  of our DC(which is a GC server as well) but the results showed us email addresess only from the domain the DC is belong to.
my questions are:
1.in the end of the filter there is a "))(mail=*)(!(" which suppose to query all the email address on the entire directory as long as the domains are all in the same forest,am i right?
2.based on this MS article http://technet.microsoft.com/en-us/library/cc978012.aspx
"If you bind to port 3268, your search includes all directory partitions in the forest"
does that mean i will be able to query multiple CG servers in the same domain\forest?
or GC servers from any domain in the forest?
3.is that string(filter) looks correct to you guys?
please advice
thanks



(&(|(objectClass=User)(objectClass=person)(objectclass=group))(mail=*)(!(userAccountControl:dn:1.2.840.113556.1.4.803:=2)))

Open in new window

0
activenet1
Asked:
activenet1
  • 24
  • 18
  • 2
1 Solution
 
Mike KlineCommented:
Answer1:  What that is doing is querying for the existence of the mail attribute being filled out and trying to find only enabled accounts.
Answer2:  You would not need to query all the GCs, just any GC
Answer3:  You can change that to (&(objectcategory=person)(objectclass=user)(mail=*)(userAccountControl:1.2.840.113556.1.4.803:=2))"
What I really like for this is adfind by MVP Joe Richards
http://www.joeware.net/freetools/tools/adfind/index.htm
Can you try:
adfind -gcb -bit -f "&(objectcategory=person)(objectclass=user)(mail=*)(!useraccountcontrol:AND:=2)" samaccountname mail
That should their logon name(samacountname) and mail attribute
Thanks
Mike
0
 
activenet1Author Commented:
Mike,
i am not an exp in the whole query\syntax\scripting world,the filter i provided here has been given to me by
our spam company,they states they cannot query our domains,what i did was copy and paste the filter
into LDAP admin tool then i connected(internal) to one of our GC server,the connection was successful with no errors,once i saw all AD partitions i made a search for "mail"but all the results i got was for email address within the domain only.
i think the utility i am using is not capable of doing what i need.
can you please recommend me  a good tool(with an interface) for LDAP query?\
also,can you please explain me step by step how to perform an ldap query on a GC server using the filter i provided?
thanks.
0
 
Mike KlineCommented:
I'd have to download that tool, the filter is just one part, need to see how it connects to the GC.
Did you try the adfind command?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
Chris DentPowerShell DeveloperCommented:

I'm rather inclined to suspect it's nothing more than the Search Base you're setting.

The search base needs to encompass all objects you want to find, if the search base is set to the current domain you won't get anything outside of that.

If it works anything like version Ldap Administrator 2.6 the Search Base is set in the connection properties under the general tab. It looks like:

DC=domain,DC=com

Where the domain is domain.com, and should be the Forest Root.

Chris
0
 
activenet1Author Commented:
Mike,
im using LDAp admin tool version 3.0,in the filed named "base DN" my line is
"CN=Configuration,DC=mrssi,DC=biz" when mrssi.biz is the forest root domain.
this line came up automaticly once i clicked the  button called ""Fetch Base DNs" it will auto complete one partition from the forest root CN=Configuration,DC=mrssi,DC=biz.
only by doing that i am able to connect and see all the DC AD partition and search for "mail"
i was trying to change the "Base DN line as you told me but when i hit connect it shoed me 1 partition with 0 content.
0
 
Chris DentPowerShell DeveloperCommented:

The configuration subtree doesn't contain any information about the mail attribute used in each domain. Configuration will tell you about which partitions are available, but little else of relevance here.

Is it working with that? Not a very logical program if it is ;)

Chris
0
 
activenet1Author Commented:
now it doesnt work at all :-) i have no idea what settings i have chnaged but now when i hit connect it showed me only 1 paretition(the configuration partition)here are some screenshots
Untitled.jpg
Untitled1.jpg
Untitled2.jpg
0
 
Chris DentPowerShell DeveloperCommented:

One sec, downloading the client you're using :)

Chris
0
 
Chris DentPowerShell DeveloperCommented:

You really have to use this tool? It's pretty crap, pain in the backside to use.

What are you trying to generate? There are 1001 ways to get the information you're after.

Chris
0
 
activenet1Author Commented:
i dont have to use that tool at all! just dont know on any other...
all i need is to test our GC server(internal) by query it using port 3268 and once i connect then to be able
to search for all email addresess listed on the entire directory.
please send me a link to a tool you think will be better and easy to use.
thanks
0
 
Chris DentPowerShell DeveloperCommented:

Well, if you do...

You're better creating a connection with:

Base DN: DC=mrssi,DC=biz

Leave the default filter in (objectClass=*). Then once you have the connection established, use the Search option on the menu. Select Text Filter, then enter your filter at the top. That should show you what you're after, hopefully...

Chris
0
 
Chris DentPowerShell DeveloperCommented:

How about a little VbScript? Then you can just double click on it and it'll generate you a file with all the e-mail addresses in the forest.

Save as .vbs, won't need any changes, it figures out your forest name by itself. The file name it creates is addresses.txt.

Chris
Const ADS_SCOPE_SUBTREE = 2
 
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
 
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
 
Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT proxyAddresses " &_
  "FROM 'GC://" & objRootDSE.Get("rootDomainNamingContext") &_
  "' WHERE mail='*' AND proxyAddresses='*'"
Set objRootDSE = Nothing
 
' Enable Paging, set depth and a few other properties
 
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
 
Set objRecordSet = objCommand.Execute
 
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile("Addresses.txt", 2, True, 0)
 
While Not objRecordSet.EOF
 
  arrAddresses = objRecordSet.Fields("proxyAddresses").Value
 
  For Each strAddress in arrAddresses
    If InStr(1, strAddress, "SMTP:", VbTextCompare) > 0 And _
        InStr(strAddress, "SystemMailbox") = 0 Then
 
      strAddress = LCase(Replace(strAddress, "SMTP:", "", 1, -1, VbTextCompare))
      objFile.WriteLine strAddress
    End If
  Next
 
  objRecordSet.MoveNext
WEnd

Open in new window

0
 
activenet1Author Commented:
well..i did exactly what you told me to do, i was able to established a connection all mrssi.biz partition appeared this time but when choosed "search" and added the filter the results i got were 0
0
 
activenet1Author Commented:
i am sorry Mike but i am not allowed to VB scripting. i need to complete the test using a third party application.
i am heading to work will talk to you in 1 hour
thanks so much for your help!
0
 
activenet1Author Commented:
how about i will download Ldap Administrator 2.6? would it be easier for you to guide me?
0
 
Chris DentPowerShell DeveloperCommented:

Really? How very unpleasant :)

Well you could do a hell of a lot worse than ADFind, or does it have to be GUI based?

If you want to try ADFind again then this would work:

adfind -gcb -bit -f "(&(|(objectCategory=person)(objectClass=group))(mail=*)(!useraccountcontrol:AND:=2))" proxyAddresses -csv > out.csv

Otherwise there's always this one:

http://www.ldapbrowser.com/download.htm

Softerra's is pretty good. To do that...

1. Create a new connection (New Profile)
2. Global Catalog port (3268) in the same way you've done here
3. Set the base DN to DC=mrssi,DC=biz
4. Use the default filter
5. Use Tools / Directory Search and enter your original filter
6. Enter "proxyAddresses" in the attributes field. That's the only field that contains all e-mail addresses (mail only holds the Primary).

Chris
0
 
Chris DentPowerShell DeveloperCommented:

> would it be easier for you to guide me?

Yep :)
0
 
activenet1Author Commented:
yes it has to be a GUI.
trying Softerra's  will let you know in few minutes how that works
0
 
activenet1Author Commented:
Chris,something is wrong. i am not longer able to query one of the GC server and search
for any object,i can estublished connection i can see all the partitions but im getting 0 results to any kind of search i do
0
 
activenet1Author Commented:
what am i doing wrong?
0
 
activenet1Author Commented:
please review the screenshot
Untitled3.jpg
0
 
activenet1Author Commented:
Chris,
on which directory should i right clkick t choose "directory search"?
0
 
Chris DentPowerShell DeveloperCommented:

It doesn't (shouldn't) matter if you're specifying a Base DN.

Simplify the search, run:

(objectClass=user)

Just to make sure that returns something.

Chris
0
 
activenet1Author Commented:
i went back to the tool i used before and i got all the settings back to the way they should be
now i am able to query the GC only by leaing the section "base DN" empty+the filter
when i hit connect it shows me 5 partitions,i hit search by "mail" and it found all the email address within the domain only,does it make sense to you?
now all i need to accomplish is to know how to query and get all the email addreses from the entire directory.

the GUI tool you provided me keep bugging me once connection is established with an user and pass error.
0
 
Chris DentPowerShell DeveloperCommented:

Yuck, they're all as bad as each other. I would guess that without a specific base defined it defaults to the current domain as the base.

May I ask why it has to be a third party application? Just wondering if there's something very specific you're trying to test.

Chris
0
 
activenet1Author Commented:
it has to be an application because scripting are not allwed without getting the "scripting team" on board
and they costs a lot :-)
i was trying to put in the "Base DN" the line you told me to " DC=mrssi,DC=biz" but it didnt work
can you think of why it didnt work?is there any other line you can think of to put in the Based DN?
and YES i am trying to test somethjing very specific,i have to make sure out spam filter company is able
to query all the domains email addreses by accesing to one GC server.
once i get that to work on my end(internal) i will go and open 3268 to the internet with the correct acl
Chris,are yoiu from the US?
0
 
Chris DentPowerShell DeveloperCommented:

Really? That's... well, a bit wrong really, this level of scripting is a tool, not a specialisation. Although I'm sure my opinion counts for little in the scheme of things :)

What can you tell me about your Forest? Maybe we're missing something really fundamental. I'm expecting a structure like:

root domain (mrssi.biz)
  child domain 1 (child1.mrssi.biz)
  child domain 2 (child2.mrssi.biz)

Is that the case? Or does it have more than one tree? e.g.

root domain (mrssi.biz)
other tree (domain1.com)
yet another tree (domain2.com)

Chris
0
 
Chris DentPowerShell DeveloperCommented:

Forgot...

> Chris,are yoiu from the US?

Nope, from England :)

Chris
0
 
activenet1Author Commented:
root domain mrssi.biz(GC DC)
1 tree domain highqfoundation.org(GC DC)
2 tree domain chdi-inc.org(GC DC)

0
 
Chris DentPowerShell DeveloperCommented:

Ahh okay.

Is mrssi.biz mostly empty?

That is, can you search with these base DNs?

DC=highqfoundation,DC=org
DC=chdi-inc,DC=org

Chris
0
 
activenet1Author Commented:
yes mrssi.biz is mostly empty.
serching,brb
:-)
0
 
activenet1Author Commented:
yep! work like charm for both DNs
0
 
Chris DentPowerShell DeveloperCommented:

Thought it might.

The trouble is, accounting for multiple trees within a forest is a complication as there's no single Base DN. You will have to hope that their application does, because none of the LDAP browsers are likely to (they're all quite simple beasts).

Is being able to do it for individual DNs enough of a test? Or does it have to be a single search?

Chris
0
 
activenet1Author Commented:
i have to provide results by doing a single search.
is it possible?
0
 
Chris DentPowerShell DeveloperCommented:

Oh yes, it's possible, but you're constrained by the application.

It needs to perform a search with a Null Search Base, something that neither of these browsers appear willing to allow.

It's troubling because quite a lot of people don't account for it. I know I rarely bother, mainly because I've never had to work with a directory split like that. Hopefully the company you're dealing with will deal with it.

Is there any way it can be tested using their software?

Chris
0
 
Chris DentPowerShell DeveloperCommented:

You know the ADFind command uses a Null Base (-gcb) and should return all the results you're after in a single query. Would that not work as a test?

That should be:

adfind -gcb -bit -f "(&(|(objectCategory=person)(objectClass=group))(mail=*)(!useraccountcontrol:AND:=2))" proxyAddresses -csv

Chris
0
 
activenet1Author Commented:
i can send out a test request.
can you please please help me understand your final conclusion ? so i can take that and forward it to the owner of the company and he will deal with the spam filter company.
please explain me why it is not possible for me to do a single search based on our forest environment
also please explain me what the spam company need to do on their end in order to get an ldap query
from one GC server
thanks!
0
 
activenet1Author Commented:
adfind -gcb -bit -f "(&(|(objectCategory=person)(objectClass=group))(mail=*)(!useraccountcontrol:AND:=2))" proxyAddresses -csv

all i need to do is just copy and paste it on cmd console? no need to edit it?
0
 
Chris DentPowerShell DeveloperCommented:

It is possible, it's just something that must be accounted for by whoever writes the application doing the synchronisation. Hopefully they will have and this simply won't be a problem.

In many cases assumptions are made about the hierarchical structure of Active Directory. The expectation is that a single domain exists, and everything sits within those. That gives this structure:

root.domain
  child1.root.domain
  child2.root.domain

In this situation all objects within a Directory are beneath root.domain in a hierarchy. This means searches using DC=root,DC=domain as a base, a starting point, can find all objects within the forest with no further effort.

Many applications that synchronise with an Active Directory domain make this assumption, they allow or require the administrator to enter a single Base DN, and an LDAP filter.

Some Directories exist with multiple trees, as shown below:

root.domain
  child1.root.domain
tree1.domain
tree2.domain
  child1.tree2.domain
  child2.tree2.domain

In this instance a single Search Base or "DC=root,DC=domain" is insufficient to return results for the entire Forest (they do not lie directly beneath that path). Either the query much utilise a Null search base (none set), or multiple searches must be performed, one for each tree within the forest.

Null Search bases must be supported by the application performing the query for a single search operation to succeed against a Forest such as this. Either the anti-spam company must support this configuration, or they must allow multiple search bases to be entered.

Proving that a search can be executed against this domain using a Null Base and a single search does not, unfortunately, prove that a third-party has made the same consideration.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

> all i need to do is just copy and paste it on cmd console? no need to edit it?

Correct :)

Chris
0
 
activenet1Author Commented:
do i have do run the command from the cmd? or from the support tool cmd?
do i have to be on the server?
0
 
activenet1Author Commented:
Chris,thank you so much!!! you were a big big help to me!
i will forward my conclusion based on your finding to the company owner hopefuly the spam company will be able to do a NUL base query..
one last thing,i copy and paste the commant into cmd but it gave me an invalid command line
am i missing something?
0
 
activenet1Author Commented:
Chris,here is what i got when i was trying to run Adfind
C:\AdFind>adfind -gcb -bit -f "(&(|(objectCategory=person)(objectClass=group))(m
ail=*)(!useraccountcontrol:AND:=2))" proxyAddresses -csv
"dn","proxyAddresses"
LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.
0
 
activenet1Author Commented:
i got Adfind to work for me!
thanks!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 24
  • 18
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now