[gentoo-server] Extract usernames from Active Directory

[gentoo-server] Extract usernames from Active Directory

[Pandu Poluan]

Hello list!

I'm in the process of setting up a pair of cloud-based email gateways
based on Postfix. The gateways are meant to perform 'front line
filtering' against spammers, before the messages entered the measly
bandwidth into my company's DMZ.

The 'missing ingredient' would be a way to extract the usernames from
Windows' Active Directory. I don't really need a full-fledged AD-LDAP
synchronization, just a way to get them names into a nice list with
which 'postmap' can act upon.

I plan to run the extractor tool every 30 minutes on one of the Gentoo
servers in the DMZ, and automagically push the extraction result -- if
there's anything new -- onto the mail gateways using rsync. And have
yet-another-script at the gateways run 15 minutes afterwards to
'compile' a new file (maybe leveraging make's baked-in timestamp
detection).

Anyone knows what tool(s) I'll need? Especially for the AD extraction part?

Rgds,


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

Re: [gentoo-server] Extract usernames from Active Directory

[Ryan Gibbons]

[-- Attachment #1: Type: text/plain, Size: 1308 bytes --]

> 
> Hello list!
> 
> I'm in the process of setting up a pair of cloud-based email gateways
> based on Postfix. The gateways are meant to perform 'front line
> filtering' against spammers, before the messages entered the measly
> bandwidth into my company's DMZ.
> 
> The 'missing ingredient' would be a way to extract the usernames from
> Windows' Active Directory. I don't really need a full-fledged AD-LDAP
> synchronization, just a way to get them names into a nice list with
> which 'postmap' can act upon.
> 
> I plan to run the extractor tool every 30 minutes on one of the Gentoo
> servers in the DMZ, and automagically push the extraction result -- if
> there's anything new -- onto the mail gateways using rsync. And have
> yet-another-script at the gateways run 15 minutes afterwards to
> 'compile' a new file (maybe leveraging make's baked-in timestamp
> detection).
> 
> Anyone knows what tool(s) I'll need? Especially for the AD extraction part?
> 
> Rgds,
> 
> 
> -- 
> --
> Pandu E Poluan - IT Optimizer
> My website: http://pandu.poluan.info/
 It's been a very long time since I've done this, but I believe the link below will get you going in the right direction 

http://randomerror.wordpress.com/2009/10/16/quick-tip-how-to-search-in-windows-active-directory-from-linux-with-ldapsearch/


[-- Attachment #2: Type: text/html, Size: 1942 bytes --]

Re: [gentoo-server] Extract usernames from Active Directory

[Alessandro Ratti]

Il giorno 28/giu/2011, alle ore 20.41, Pandu Poluan ha scritto:

> Hello list!
> 
> I'm in the process of setting up a pair of cloud-based email gateways
> based on Postfix. The gateways are meant to perform 'front line
> filtering' against spammers, before the messages entered the measly
> bandwidth into my company's DMZ.
> 
> The 'missing ingredient' would be a way to extract the usernames from
> Windows' Active Directory. I don't really need a full-fledged AD-LDAP
> synchronization, just a way to get them names into a nice list with
> which 'postmap' can act upon.
> 
> I plan to run the extractor tool every 30 minutes on one of the Gentoo
> servers in the DMZ, and automagically push the extraction result -- if
> there's anything new -- onto the mail gateways using rsync. And have
> yet-another-script at the gateways run 15 minutes afterwards to
> 'compile' a new file (maybe leveraging make's baked-in timestamp
> detection).
> 
> Anyone knows what tool(s) I'll need? Especially for the AD extraction part?

You can try this one: http://www.likewise.com/

Let me know if it's solve your problem.

Regards

Alex

Re: [gentoo-server] Extract usernames from Active Directory

[mRyOuNg]

What about an easy ldap request selecting only samaccountname?

:: Baptiste Boilet
. (mobile)

On 28 juin 2011, at 20:41, Pandu Poluan <pandu@poluan.info> wrote:

> Hello list!
> 
> I'm in the process of setting up a pair of cloud-based email gateways
> based on Postfix. The gateways are meant to perform 'front line
> filtering' against spammers, before the messages entered the measly
> bandwidth into my company's DMZ.
> 
> The 'missing ingredient' would be a way to extract the usernames from
> Windows' Active Directory. I don't really need a full-fledged AD-LDAP
> synchronization, just a way to get them names into a nice list with
> which 'postmap' can act upon.
> 
> I plan to run the extractor tool every 30 minutes on one of the Gentoo
> servers in the DMZ, and automagically push the extraction result -- if
> there's anything new -- onto the mail gateways using rsync. And have
> yet-another-script at the gateways run 15 minutes afterwards to
> 'compile' a new file (maybe leveraging make's baked-in timestamp
> detection).
> 
> Anyone knows what tool(s) I'll need? Especially for the AD extraction part?
> 
> Rgds,
> 
> 
> -- 
> --
> Pandu E Poluan - IT Optimizer
> My website: http://pandu.poluan.info/
> 

RE: [gentoo-server] Extract usernames from Active Directory

[Pandu Poluan]

-original message-
Subject: Re: [gentoo-server] Extract usernames from Active Directory
From: Ryan Gibbons <gibbonsr-ml@routedtechnologies.com>
Date: 2011-06-29 02:52

>> Hello list!
>> 
>> I'm in the process of setting up a pair of cloud-based email gateways
>> based on Postfix. The gateways are meant to perform 'front line
>> filtering' against spammers, before the messages entered the measly
>> bandwidth into my company's DMZ.
>> 
>> The 'missing ingredient' would be a way to extract the usernames from
>> Windows' Active Directory. I don't really need a full-fledged AD-LDAP
>> synchronization, just a way to get them names into a nice list with
>> which 'postmap' can act upon.
>> 
>> I plan to run the extractor tool every 30 minutes on one of the Gentoo
>> servers in the DMZ, and automagically push the extraction result -- if
>> there's anything new -- onto the mail gateways using rsync. And have
>> yet-another-script at the gateways run 15 minutes afterwards to
>> 'compile' a new file (maybe leveraging make's baked-in timestamp
>> detection).
>> 
>> Anyone knows what tool(s) I'll need? Especially for the AD extraction part?
>> 
> It's been a very long time since I've done this, but I believe the link below will get you going in the right direction 
>
>http://randomerror.wordpress.com/2009/10/16/quick-tip-how-to-search-in-windows-active-directory-from-linux-with-ldapsearch/

Ah, that would be a nice start. Unfortunately, the post was talking about Debian/Ubuntu, and a search on Portage seems to not have the 'ldap-util' package. Lots of interesting packages, though:

http://gentoo-portage.com/Search?search=ldap

Rgds,
--
FdS Pandu E Poluan
~ IT Optimizer ~

Sent from Nokia E72-1

RE: [gentoo-server] Extract usernames from Active Directory

[Pandu Poluan]

-original message-
Subject: Re: [gentoo-server] Extract usernames from Active Directory
From: Alessandro Ratti <alex@lord2y.org>
Date: 2011-06-29 04:07


>Il giorno 28/giu/2011, alle ore 20.41, Pandu Poluan ha scritto:
>
>> Hello list!
>> 
>> I'm in the process of setting up a pair of cloud-based email gateways
>> based on Postfix. The gateways are meant to perform 'front line
>> filtering' against spammers, before the messages entered the measly
>> bandwidth into my company's DMZ.
>> 
>> The 'missing ingredient' would be a way to extract the usernames from
>> Windows' Active Directory. I don't really need a full-fledged AD-LDAP
>> synchronization, just a way to get them names into a nice list with
>> which 'postmap' can act upon.
>> 
>> I plan to run the extractor tool every 30 minutes on one of the Gentoo
>> servers in the DMZ, and automagically push the extraction result -- if
>> there's anything new -- onto the mail gateways using rsync. And have
>> yet-another-script at the gateways run 15 minutes afterwards to
>> 'compile' a new file (maybe leveraging make's baked-in timestamp
>> detection).
>> 
>> Anyone knows what tool(s) I'll need? Especially for the AD extraction part?
>
>You can try this one: http://www.likewise.com/
>
>Let me know if it's solve your problem.

That looks mighty nice, but perhaps a bit of overkill for my needs.

After all, I only need to get the username field, and not perform any authentication.

Rgds,
--
FdS Pandu E Poluan
~ IT Optimizer ~

Sent from Nokia E72-1

RE: [gentoo-server] Extract usernames from Active Directory

[Pandu Poluan]

-original message-
Subject: Re: [gentoo-server] Extract usernames from Active Directory
From: mRyOuNg <mryoung@soundbomb.net>
Date: 2011-06-29 04:44

>What about an easy ldap request selecting only samaccountname?

Yup, that's the plan. How do I do that?

Rgds,
--
FdS Pandu E Poluan
~ IT Optimizer ~

Sent from Nokia E72-1

Re: [gentoo-server] Extract usernames from Active Directory

[Brian Kroth]

[-- Attachment #1: Type: text/plain, Size: 1818 bytes --]

Pandu Poluan <pandu@poluan.info> 2011-06-29 09:00:
> -original message-
> Subject: Re: [gentoo-server] Extract usernames from Active Directory
> From: mRyOuNg <mryoung@soundbomb.net>
> Date: 2011-06-29 04:44
>
>> What about an easy ldap request selecting only samaccountname?
>
> Yup, that's the plan. How do I do that?

ldapsearch -h your-ad-dc.your.domain -b 

Something like this:
# ldapsearch -Z -W -x -H ldap://your-ad-dc.your.domain -b ou=Users,dc=your,dc=domain -D cn=$USER,ou=Users,dc=your,dc=domain cn=$USER samaccountname

pipe through some grep | sed to get just the user names.

The catch is that by default AD won't allow anonymous binds, so you need 
to authenticate to the server to perform the ldapsearch (-D, -W).  To do 
that you usually need to use a secure connection (-Z).  Obviously for 
automated things you should use a service account.  -b tells your search 
where to start looking.  cn=$USER is what to look for (called the search 
filter).  samaccountname is what to return (just a list of attribute 
names, or nothing to return them all).  

I don't recall what it's called exactly atm as I try not to touch 
Windows anymore, but if you dig through mmc on a server machine you 
should be able to find something called adsiedit, or some such, that 
will allow you to browse the actual ldap schema and tree.  That'll help 
inform you what the parameters for each of the above settings should 
actually be in your case.

This is just a simple example.  You can get really fancy with ldap 
search filters or hooking all your stuff up to it through pam for local 
auth.  I'd suggest you use a recent windows server version for that as 
the schema bits necessary to serve unix details seem to be a little bit 
more sane these days.

Hope that helps,
Brian

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]