Active Directory access - not just users, but computers too


#1

Most Active Directory access really just goes through LDAP and I don’t
know if it’s possible through LDAP – and if it’s possible, how to do
it, or who has implemented it in Ruby. I’d like to be able to get a list
of computers in a domain, in a OU, etc. using Ruby. I’ve looked around
(rubyforge, mainly, but google is also a good friend) but haven’t found
promising gems.
Is my understanding just incorrect?

–Aldric


#2

On Thu, Nov 13, 2008 at 5:02 PM, Aldric G.
removed_email_address@domain.invalidwrote:

Most Active Directory access really just goes through LDAP and I don’t
know if it’s possible through LDAP – and if it’s possible, how to do
it, or who has implemented it in Ruby. I’d like to be able to get a list
of computers in a domain, in a OU, etc. using Ruby. I’ve looked around
(rubyforge, mainly, but google is also a good friend) but haven’t found
promising gems.
Is my understanding just incorrect?

–Aldric

Hi Aldric,

Have you had a look at Ruby Net::LDAP?
http://rubyfurnace.com/docs/ruby-net-ldap-0.0.4/


#3

removed_email_address@domain.invalid wrote:

(first hit on google for “ldap active directory query examples”)
Filter for computers:
(objectCategory=computer)

You can do this query using either objectClass or objectCategory.
objectClass is indexed but objectCategory is not indexed. If you
query a large domain using the unindexed attribute, the query
interrogates every object in the domain. Traps for the unwary :wink:

If you want just the users, no computers, you need:
(&(objectCategory=person)(objectClass=user)(!objectClass=computer))

The rest of brabuhr’s advice is good.

Clifford H…


#4

Thank you to everyone - it’s working like a charm!


#5

On Thu, Nov 13, 2008 at 6:02 PM, Aldric G. removed_email_address@domain.invalid
wrote:

Most Active Directory access really just goes through LDAP and I don’t
know if it’s possible through LDAP – and if it’s possible, how to do
it, or who has implemented it in Ruby. I’d like to be able to get a list
of computers in a domain, in a OU, etc…

http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm

(first hit on google for “ldap active directory query examples”)

Filter for computers:
(objectCategory=computer)

To restrict to an OU, set the search base of the query to the OU.

For access from Ruby, look at net-ldap as suggested by Sammy L…


#6

Aldric,

Any chance you would be willing to share the code you used to access AD
via LDAP? I’ve tried the ActiveLdap and ActiveDirectory gems and so far
have not had any success.

Thanks,
Matt

----- Original Message -----
From: “Aldric G.” removed_email_address@domain.invalid
To: “ruby-talk ML” removed_email_address@domain.invalid
Sent: Friday, November 14, 2008 9:37:15 AM GMT -06:00 US/Canada Central
Subject: Re: Active Directory access - not just users, but computers too

Thank you to everyone - it’s working like a charm!


#7

Hi,

In 93821991.1744261226699370463.JavaMail.root@zcs10
“Re: Active Directory access - not just users, but computers too” on
Sat, 15 Nov 2008 06:47:09 +0900,
Matt M. removed_email_address@domain.invalid wrote:

Any chance you would be willing to share the code you used to access AD via LDAP? I’ve tried the ActiveLdap and ActiveDirectory gems and so far have not had any success.

Please show the detail for the ActiveLdap try.
I’m one of the ActiveLdap developers.

Thanks,


#8

Hi Matt,
I pretty much followed the sample ruby-ldap documentation - here’s how
it came out:
require ‘rubygems’
require ‘net/ldap’
ldap = Net::LDAP.new :host => “servername”,
:port => 389,
:auth => {
:method => :simple,
:username => “user”,
:password => “password”
}

The code worked without ‘rubygems’ for me but I figured I could afford
the RAM in exchange for peace of mind. I also had some issues connecting
properly at first, as the :username string is a lot more complex in the
ruby-ldap documentation.

HTH,

–Aldric


#9

Hi Kouhei,

I know you from the ActiveLdap list and probably should have asked my
question there first. :slight_smile: My AD server requires secure LDAP so I have
to use 636.

ad.rb<<<

require ‘myconstants’

class AdUser < ActiveLdap::Base
ldap_mapping :dn_attribute => ‘sAMAccountName’, :prefix => ‘dc=ad’,
:classes => [‘top’,‘person’,‘user’]
end

class AdGroup < ActiveLdap::Base
ldap_mapping :dn_attribute => ‘cn’, :prefix => ‘’,
:classes => [‘top’,‘group’]
end

ActiveLdap::Base.establish_connection(:host => ‘ldap.dom.edu’,
:port => 636,
:base => ‘dc=dom,dc=edu’,
:bind_dn => AdAdmin,
:password => AdPW,
:allow_anonymous => false )

Retrieve all users with some attribute

def ad_user_search(attribute, value, returns)
AdUser.find(
:all,
:attribute => attribute,
:value => value,
:attributes => returns
)
end

test.rb<<<

#!/usr/local/bin/ruby

NOTE…RUBY TIME CLASS MAY BE FASTER THAN DATE CLASS???

$LOAD_PATH << ‘…/dom_ruby_libs’
require ‘rubygems’
require ‘active_ldap’
require ‘ad’
require ‘myconstants’

puts “===AD===”
ad_user = ad_user_search(‘sAMAccountName’, ‘myusername’, [‘cn’,‘sn’])
ad_user.each do |user|
puts user.inspect
end

----- Original Message -----
From: “Kouhei S.” removed_email_address@domain.invalid
To: “ruby-talk ML” removed_email_address@domain.invalid
Sent: Friday, November 14, 2008 8:59:48 PM GMT -06:00 US/Canada Central
Subject: Re: Active Directory access - not just users, but computers too

Hi,

In 93821991.1744261226699370463.JavaMail.root@zcs10
“Re: Active Directory access - not just users, but computers too” on
Sat, 15 Nov 2008 06:47:09 +0900,
Matt M. removed_email_address@domain.invalid wrote:

Any chance you would be willing to share the code you used to access AD via LDAP? I’ve tried the ActiveLdap and ActiveDirectory gems and so far have not had any success.

Please show the detail for the ActiveLdap try.
I’m one of the ActiveLdap developers.

Thanks,


#10

Hi,

In 1177410494.1808491226769419255.JavaMail.root@zcs10
“Re: Active Directory access - not just users, but computers too” on
Sun, 16 Nov 2008 02:14:42 +0900,
Matt M. removed_email_address@domain.invalid wrote:

end
:password => AdPW,
end
require ‘active_ldap’
require ‘ad’
require ‘myconstants’

puts “===AD===”
ad_user = ad_user_search(‘sAMAccountName’, ‘myusername’, [‘cn’,‘sn’])
ad_user.each do |user|
puts user.inspect
end

It seems that you miss :method => :ssl option in
establish_connection options. And did you get what error
message?

Thanks,