bstjohn

Traverse a directory tree using LDAP

7 posts in this topic

I'm trying to figure out a way to traverse a directory tree using LDAP.  I've read a lot of posts here and mainly they involve using functions designed specifically for Active Directory.  I want this to be more generic so it will work whether it's Novell eDirectory, Active Directory, etc.  In my case I have both, but I primarily use eDirectory.

Here's what I've got so far:

$ObjLDAP = ObjGet("LDAP://192.168.1.1:389/O=MyORG") ; Not the real IP address
$x=0
For $oObj In $ObjLDAP
    $x+=1
    ConsoleWrite($x & ") cn=[" & $oObj.cn & "]" & @CRLF)
    $c=0
    For $class in $oObj.objectClass
        $c+=1
        ConsoleWrite(@TAB & $c & ") class=[" & $class & "]" & @CRLF)
        If $class="organizationalUnit" Then
            ; Switch to this OU and list all object there.
            ; BUT I DON'T KNOW HOW TO DO THIS YET
            ; Switch back to parent container when done.
        EndIf
    Next
    ConsoleWrite(@CRLF)
Next
Exit

This works in that it lists all objects in the ORG.  Here's a sample of the output.

1) o=[] cn=[] 
    1) class=[organizationalUnit]
    2) class=[ndsLoginProperties]
    3) class=[Top]
    4) class=[ndsContainerLoginProperties]

2) o=[] cn=[] 
    1) class=[organizationalUnit]
    2) class=[ndsLoginProperties]
    3) class=[Top]
    4) class=[ndsContainerLoginProperties]

3) o=[] cn=[] 
    1) class=[organizationalUnit]
    2) class=[ndsLoginProperties]
    3) class=[Top]
    4) class=[ndsContainerLoginProperties]

4) o=[] cn=[] 
    1) class=[organizationalUnit]
    2) class=[ndsLoginProperties]
    3) class=[Top]
    4) class=[ndsContainerLoginProperties]

5) o=[] cn=[admingroup] 
    1) class=[Top]
    2) class=[groupOfNames]
    3) class=[posixGroup]
    4) class=[uamPosixGroup]

6) o=[] cn=[apchadmn-Administrators] 
    1) class=[Top]
    2) class=[groupOfNames]

7) o=[] cn=[Everyone] 
    1) class=[groupOfNames]
    2) class=[Top]

8) o=[] cn=[nfradmins] 
    1) class=[groupOfNames]
    2) class=[Top]

9) o=[] cn=[nfrreportusers] 
    1) class=[groupOfNames]
    2) class=[Top]

10) o=[] cn=[Admin] 
    1) class=[inetOrgPerson]
    2) class=[organizationalPerson]
    3) class=[Person]
    4) class=[Top]
    5) class=[ndsLoginProperties]
    6) class=[bhPortalConfigRW]
    7) class=[bhPortalConfigSecretStore]
    8) class=[bhPortalConfig]
    9) class=[swareUserAttr]
    10) class=[swarePointers]
    11) class=[posixAccount]
    12) class=[uamPosixUser]

11) o=[] cn=[dnsdhcp] 
    1) class=[inetOrgPerson]
    2) class=[organizationalPerson]
    3) class=[Person]
    4) class=[ndsLoginProperties]
    5) class=[Top]
    6) class=[posixAccount]
    7) class=[uamPosixUser]

12) o=[] cn=[nfrproxy] 
    1) class=[inetOrgPerson]
    2) class=[organizationalPerson]
    3) class=[ndsLoginProperties]
    4) class=[Person]
    5) class=[Top]

13) o=[] cn=[UNIX Config] 
    1) class=[uamPosixConfig]
    2) class=[Top]
    3) class=[uamPosixGidNumberInfo]
    4) class=[uamPosixUidNumberInfo]

14) o=[] cn=[Apache Group] 
    1) class=[apchadmnConfiguration]
    2) class=[apchadmnServer]
    3) class=[Top]

15) o=[] cn=[apchadmn-Registry] 
    1) class=[apchadmnConfiguration]
    2) class=[apchadmnServer]
    3) class=[Top]

I can determine that the first four objects are OUs.  But how do I switch to those contexts?

 

 

 

Share this post


Link to post
Share on other sites



That's called recursion. Put everything into a function and call it to traverse the tree.
The wiki has a tutorial about recursion: https://www.autoitscript.com/wiki/Recursion


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Sorry.  Perhaps I did not make myself clear.  I appreciate your help, but I already understand recursion.  What I don't understand is how to switch to a different context in the directory service.

 

 

Share this post


Link to post
Share on other sites

The AD UDF sets the context in function _AD_Open. To switch you would need to close the current connection using _AD_Close and call _AD_Open again with different parameters.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

And is _AD_Open specific to Active Directory?  Like I said in my original post, I want to keep this directory agnostic.  I primarily work with Novell eDirectory, but I want my script to be able to work with any LDAP compliant directory service.

 

Share this post


Link to post
Share on other sites

Yes. AD in _AD_Open stands for Active Directory. The AD UDF is Active Directory only.
But it might be a good starting point for a general purpose LDAP UDF.

 


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Thanks.  I will look at the code.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • jazzyjeff
      By jazzyjeff
      Hey All,
      I am banging my head against a wall here trying to get an LDAP query to work, so I am hoping someone can help me out. 
      GOAL: I'm trying to map drives using Item Level targeting.
      CURRENT SOLUTION: An Autoit login script runs, determines the user that logs in, looks at the users group membership. If a User is a member of a group that contains the string "User-LAX" Then it will map \\server1\shareA.  If a User is a member of a group that contains the string "User-ORD" Then it will map \\server2\shareB. With the power of scripting this is easy to achieve.
      PROBLEM: The active directory setup is extremely large and complex, and perhaps has not been designed with a lot of thought for situations like this. There are multiple buildings, and each building has a user code used in Security Group names i.e. User-LAX-HR, User-ORD-HR, User-LAX-Accounting, User-ORD-Accounting etc. So if they are a member of a group that contains "User-LAX", it will map the UNC path \\server1\shareA. That's the aim. Now there are potentially hundreds of groups that begin with "User-LAX", so while I could easily run an LDAP Query on each group called "User-LAX", this would take me forever to build a group policy containing all the different possibilities.
      RESEARCH: I have discovered that I cannot do LDAP Query's on a distinguished name using a wild card, which really messes things up. This is how I would like the query to work, but I know it doesn't so i am looking for an alternative. &(objectcategory=user)(memberof=*User-LAX*))
      POTENTIAL SOLUTION: I have just thought about this as a potential solution as I type this out, and that would be to build a script that would find all the groups that begin with "User-LAX", and then export all the members of those groups and make them members of a new groups called "User-LAX-XDrive" and then I can use ILT to map drives based on that new group membership.
       
      To be honest the above solution seems like the easiest way right now, but perhaps there is something else I can do with an LDAP Query that I am missing? 
      I'm reluctant to dive straight in and create a new security group, because while my previous job I was given full responsibility to do that, I'm not sure if I am given that same trust here at my new job. However, If it needs to be done then it needs to be done.
      Any feedback is appreciated.