Question

I’m trying to list all users within an LDAP directory for an audit, but I’m not sure how to construct an LDAP query for this purpose. Are there any standard LDAP queries that can retrieve user account information or list all user entries in the directory?

If there are specific search filters or base DNs to include in the query to narrow down user results, I’d like some guidance on structuring this type of LDAP search.

Answer 1

Creating an LDAP search query with the appropriate base DN, search scope, and search filter is necessary to enumerate every user in an LDAP directory.

1. Base DN (Distinguished Name)

The Base DN is the point in the directory from which the search begins. To enumerate all users, you'll typically start at the highest point that contains all user accounts. This is often the domain component (DC) for the entire organization in Active Directory or a similar high-level organizational unit (OU) in other LDAP systems.

• Example for Active Directory: dc=example,dc=com
• Example for a specific OU in any LDAP system: ou=People,dc=example,dc=com

2. Search Scope

• Subtree: This scope searches the base object and the entire subtree rooted at the base. Use this to find all users under the base DN, regardless of how deeply nested they are.
• One Level: Only searches objects immediately under the base DN, not including the base DN itself. Use if you're certain all users are directly under the base DN.
• Base: Searches only the base DN itself. Not applicable for finding all users unless the directory is extremely flat.

For enumerating all users, use "Subtree".

3. Search Filter

This narrows down the results to only include objects that match the filter. For users, you commonly filter by object classes or attributes indicative of user accounts.

Common Filters for Users:

• For Active Directory and similar systems: (objectClass=user) or (objectCategory=Person)
• For systems using POSIX accounts (like OpenLDAP with a POSIX schema): (objectClass=posixAccount)
• Generic, but less specific (matches more than just users in some schemas): (objectClass=person)

Example LDAP Queries:

• For Active Directory (Subtree Scope):

• Base DN: dc=example,dc=com
• Scope: Subtree
• Filter: (objectClass=user)
• LDAP Query String: ldap://dc=example,dc=com??sub?(objectClass=user)

• For OpenLDAP with POSIX Accounts (Subtree Scope):

• Base DN: dc=example,dc=com
• Scope: Subtree
• Filter: (objectClass=posixAccount)
• LDAP Query String: ldap://dc=example,dc=com??sub?(objectClass=posixAccount)

Using Command Line Tools (e.g., ldapsearch):

If you're executing these queries from the command line using a tool like ldapsearch, the command might look something like this:

ldapsearch -x -H ldap://ldap.example.com -b "dc=example,dc=com" -s sub "(objectClass=user)" *

• -x specifies simple authentication (use -D and -w for authenticated searches).
• -H specifies the LDAP server.
• -b sets the base DN.
• -s sub sets the scope to subtree.
• (objectClass=user) is the search filter.
• * returns all attributes for matching entries (use specific attribute names if you only need a few).