Sign in to follow this  
Followers 0
regygys

ldap request in a different domain

4 posts in this topic

#1 ·  Posted (edited)

hi,

I need you for a ldap request.

I got 2 domains XX and XY and they approved each other.

When i execute the script with the XX administrator on the XX domain the script is working.

But when i use it the script with the XX administrator on the XY domain the script is not working...

$objConnection = ObjCreate("ADODB.Connection")

$objConnection.Open ("Provider=ADsDSOObject;")

$objCommand = ObjCreate("ADODB.Command")

$objCommand.ActiveConnection = $objConnection

$objCommand.CommandText = "<LDAP://" & $domain & ">;(&(objectCategory=Computer)" & $filter & "(CN=" & $name & "));operatingSystem;substree"

$objRecordSet = $objCommand.Execute

if $objRecordSet.RecordCount = 0 then

How make a ldap request in a different domain where ever the administrator had the good rights ?

Edited by regygys

Share this post


Link to post
Share on other sites



I am trying to do something similar where I need to authenticate myself to the LDAP from a machine that is not on the domain. I haven't got it to fully work yet, but here is a snippet of my code and maybe you or someone else can help figure this out.

$objConnection = ObjCreate("ADODB.Connection") ; Create COM object to AD

$objConnection.Provider = "ADsDSOObject"

$objConnection.Properties("User ID") = "domain\userid"

$objConnection.Properties("Password") = "password"

$objConnection.Properties("Encrypt Password") = TRUE

$objConnection.Properties("ADSI Flag") = 3

$objConnection.Open ("Active Directory Provider") ; Open connection to AD

$objRootDSE = ObjGet("LDAP://RootDSE")

$objCommand = ObjCreate("ADODB.Command"); Dustin

$objCommand.ActiveConnection = $objConnection; Dustin

Also check out this link - http://www.microsoft.com/technet/scriptcen...05/hey1209.mspx

Hope this points you in the right direction.

Share this post


Link to post
Share on other sites

I am trying to do something similar where I need to authenticate myself to the LDAP from a machine that is not on the domain. I haven't got it to fully work yet, but here is a snippet of my code and maybe you or someone else can help figure this out.

I've put this working code together from different sources. The code should be cleaned up, and exploded into more functions (authenticate,getDN,isMemberOfGroup etc...)

CODE

$oMyError = ObjEvent("AutoIt.Error", "ComError")

global $strDNSDomain = "10.255.255.38"

global $group = "Users" ; a group the user must be member of

$isValid = authenticate("username","password"); returns 1 for success!

Func authenticate($user,$password)

Dim $usergroups[1], $i = 1

Dim $objConnection, $oUsr,$groupdn

Local $ADS_SECURE_AUTHENTICATION = 0x0001

$objConnection = ObjCreate("ADODB.Connection") ; Create COM object to AD

$objConnection.Provider = "ADsDSOObject"

$objConnection.Properties("Encrypt Password") = 1

$objConnection.Properties("ADSI Flag") = $ADS_SECURE_AUTHENTICATION

$objConnection.Properties("User ID") = $user

$objConnection.Properties("Password") = $password

$objConnection.Open ("Active Directory Provider") ; Open connection to AD

;not needed:

;$objRootDSE = ObjGet("LDAP://"&$strDNSDomain&"/RootDSE")

;Global $strDNSDomain_ = $objRootDSE.Get ("defaultNamingContext") ; Retrieve the current AD domain name

$strQuery = "<LDAP://" & $strDNSDomain & ">;(sAMAccountName=" &$user& ");distinguishedName;subtree"

$objRecordSet = $objConnection.Execute ($strQuery) ; Retrieve the FQDN for the logged on user

If @error <> 0 Then Return 0

if $objRecordSet.eof then

SetError(2)

Return 0 ;group non found

Else

$userdn=$objRecordSet.fields(0).value

EndIf

global $strGrpPassed = false

Dim $objGroupList, $objUser, $strDN

global $o = ObjGet("LDAP:")

$objUser = $o.OpenDSObject("LDAP://" & $strDNSDomain & "/" & $userdn, $user , $password , 1)

; Bind to dictionary object.

global $objGroupList = ObjCreate("Scripting.Dictionary")

; Enumerate group memberships.

EnumGroups($objUser,$user,$password)

return $strGrpPassed ; return true if authentication and membership of $group is ok.

EndFunc

Func EnumGroups($objADObject,$user,$password)

; Recursive subroutine to enumerate user group memberships.

; Includes nested group memberships.

Local $colstrGroups, $objGroup, $j

$objGroupList.CompareMode = 1 ;vbTextCompare

$colstrGroups = $objADObject.memberOf

If not IsArray($colstrGroups) Then

Return

EndIf

For $j = 0 To UBound($colstrGroups)-1

$objGroup = $o.OpenDSObject("LDAP://" & $strDNSDomain & "/" & $colstrGroups[$j], $user , $password , 1)

If Not $objGroupList.Exists($objGroup.sAMAccountName) Then

$objGroupList($objGroup.sAMAccountName) = True

; $group should be a parameter to function call, not global

if $group = StringRight($objGroup.Name,StringLen($objGroup.Name) -3) then

$strGrpPassed = true

EndIf

EnumGroups($objGroup,$user,$password)

EndIf

Next

$objGroup = "nothing"

EndFunc

;COM Error function

Func ComError()

If IsObj($oMyError) Then

$HexNumber = Hex($oMyError.number, 8)

SetError($HexNumber)

Else

SetError(1)

EndIf

Return 0

EndFunc ;==>ComError

Share this post


Link to post
Share on other sites

I didn't found yet the way to request a different Domain with account of an other domain who have the right to do it...

Any ideas ?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0