RE: Net::LDAP, Active Directory and Disabled Users

Version of Perl:=20
   5.8.0 (as supplied with RedHat9)
Version of Net::LDAP:
   [jsteenha@jake utilities]$ perl -mNet::LDAP -e 'print =
"$Net::LDAP::VERSION\n"'
   0.29
Relevant part of Perl code:
#!/usr/bin/perl

use Net::LDAP;
use Net::LDAP::Filter;

$filter =3D =
'(&(objectCategory=3Dperson)(userAccountControl:1.2.840.113556.1.4.803:=3D=
2))';
#$filter =3D '(objectCategory=3Dperson)';

$f =3D new Net::LDAP::Filter;
$f->parse($filter);
$f->print();
#exit;

my $ldap =3D Net::LDAP->new('acutex-dc01');
my $mesg =3D $ldap->bind(dn       =3D> "***valid-account***",
                       password =3D> "***appropriate-password***");
$mesg =3D $ldap->search( base   =3D> "DC=3Dhilite-ind, DC=3Dnet",
                       filter =3D> $filter,
                     );

die $mesg->error if $mesg->code;

foreach my $entry ($mesg->entries) {
    my @addresses =3D $entry->get_value("ProxyAddresses");
    foreach my $address(@addresses) {
        if ($address =3D~ s/^smtp://i) {
            print "$address\n";
        }
    }
}
---- END PERL CODE ----

If the second $filter assignment is uncommented I run into a size limit =
so the "die" takes effect, but if I comment out that "die" I get =
appropriate results. As is above, the query appears to be sent to the =
LDAP server (domain controller) but then it dies when it gets to the =
"die if" statement. If I write a similar routine in PHP (some account =
info, same machine), then the query correctly returns a list of email =
addresses for disabled users.

Regarding the PS: I know. I've tried telling that the disclaimer is =
silly in general and does nothing to protect us legally, but corporate =
seems to sleep better at night with it in place or something like that =
so they won't remove it.

--
 "Outlook not so good." That magic 8-ball knows everything! I'll ask =
about Exchange Server next.=20


-----Original Message-----
From: Peter Marschall [mailto:peter@adpm.de]
Sent: Tuesday, September 30, 2003 5:11 AM
To: Steenhagen, Jacob; perl-ldap@perl.org
Subject: Re: Net::LDAP, Active Directory and Disabled Users


Hi,

On Monday 29 September 2003 22:50, Steenhagen, Jacob wrote:
> I've been trying to write a simple perl script that will query the =
active
> directory via LDAP and give me a list of email addresses for disabled =
users
> (eg, addresses we don't want to accept email for anymore). I found a
> website or two that suggested I use the following as my filter:
>
> =
(&(objectCategory=3Dperson)(userAccountControl:1.2.840.113556.1.4.803:=3D=
2))
>
> I was beginning to think these websites were wrong as whenever I tried =
this
> filter, I'd go no results. With other filters, I'd get the results I'd
> expect to get. I then tried that filter in a couple other applications =
(one
> MS tool and a PHP script running on the same box as my perl script) =
and it
> worked as expected in those cases. In the interest of testing, I =
created a
> Net::LDAP::Filter object in my script and it seemed to parse the =
filter
> fine. But when I try to run it via the search routine of Net::LDAP I =
get
> the following error:
>
> I/O Error   at ./gather_email.pl line 24, <DATA> line 283.
>
>
> Unfortunately, I'm not an LDAP expert by any means nor am I at all =
familiar
> with the Net::LDAP code so I think I've hit a stand-still. Has anybody =
else
> experienced this (I did try a couple searches and came up empty). Or =
better
> yet, does anybody know how to fix it :).

It would help people willing to help you if they knew
* the interesting parts of your script
* the data you feed it
* the versions of Perl and perl-ldap you use

Peter

PS: the discaimer you send is ridiculous when sending to a mailing list
      with subscribers from all over the world.

--=20
Peter Marschall
eMail: peter@adpm.de


* EMAIL DISCLAIMER AND TERMS OF USE *
The information transmitted is intended only for the person to whom it =
is addressed and may contain confidential and/or privileged material. If =
you have received an email in error please notify abuse@us.hilite.com =
and then delete all copies of it from your systems.
Any use of, or any action relying upon, information in an email by =
persons other than the intended recipient is prohibited.
Although Hilite International scans incoming and outgoing emails and =
email attachments for viruses we cannot guarantee a communication to be =
free of all viruses nor accept any responsibility for viruses.

Although Hilite International monitors incoming and outgoing emails for =
inappropriate content, Hilite International cannot be held responsible =
for the views or expressions of the author.
The views expressed may not necessarily be those of Hilite International =
and Hilite International cannot be held responsible for any loss or =
injury resulting from the contents of a message.
0
Jacob
9/30/2003 5:14:32 PM
perl.ldap 1268 articles. 0 followers. Follow

0 Replies
1294 Views

Similar Articles

[PageSpeed] 11

Reply:

Similar Artilces:

Net::LDAP, Active Directory and Disabled Users
------_=_NextPart_001_01C386CB.502F3B30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I've been trying to write a simple perl script that will query the = active directory via LDAP and give me a list of email addresses for disabled = users (eg, addresses we don't want to accept email for anymore). I found a = website or two that suggested I use the following as my filter: (&(objectCategory=3Dperson)(userAccountControl:1.2.840.113556.1.4.803:=3D= 2)) I was beginning to think these websites were wrong as whene...

RE: :LDAP, Active Directory and Disabled Users
Do some testing - query userAccountControl for an active user - then disable the user and query userAccountControl again. The result will = be the what you should use in your query. In my case all inactive users are 514 .... Best of luck ... HTH -----Original Message----- From: Steenhagen, Jacob [mailto:Jacob.Steenhagen@us.hilite.com] Sent: Monday, September 29, 2003 4:50 PM To: perl-ldap@perl.org Subject: Net::LDAP, Active Directory and Disabled Users I've been trying to write a simple perl script that will query the active directory via LDAP and give me a list o...

Net::LDAP, Active Directory and Disabled Users #2
I've been trying to write a simple perl script that will query the active directory via LDAP and give me a list of email addresses for disabled users (eg, addresses we don't want to accept email for anymore). I found a website or two that suggested I use the following as my filter: (&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)) I was begining to think these websites were wrong as whenever I tried this filter, I'd go no results. With other filters, I'd get the results I'd expect to get. I then tried that filter in a couple other appli...

RE: :LDAP, Active Directory and Disabled Users #3
I apologize for the repost on this... I originally tried posting it via = NNTP and didn't see it show up so I thought (incorrectly) that NNTP was = read-only and to get the message through I had to send it via the = mailing list. -- "Outlook not so good." That magic 8-ball knows everything! I'll ask = about Exchange Server next.=20 -----Original Message----- From: Jake [mailto:jacob.NOSPAM.steenhagen@us.hilite.BYEBYE.com] Sent: Monday, September 29, 2003 4:17 PM To: perl-ldap@perl.org Subject: Net::LDAP, Active Directory and Disabled Users I've been...

RE: :LDAP, Active Directory and Disabled Users #2
Useraccountcontrol is a bit flag attribute. You get 514 because a disabled user account has the following properties: 2 : disabled 512 : normal account (not a special account) You can get the list of flags here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi /ads_user_flag_enum.asp You can use 2 or 514 to find disabled users. This filter will match disabled users: (&(objectCategory=person)(objectclass=user)(userAccountControl:1.2.840.11355 6.1.4.803:=2)) Without objectclass, the filter could also match computer objects. You can f...

Re: RE: Active Directory and LDAP sizelimit
Here is a script with the jist of using a paged search. I chopped it up from something I am currently using so it does work. :) use Net::LDAP; use Net::LDAP::Control::Paged; use Net::LDAP::Constant qw(LDAP_CONTROL_PAGED); my $ad_ldap = Net::LDAP->new($ad_ldap_server, version => 3) or die "unable to co nnect to ad ldap: $@"; my $result = $ad_ldap->bind($ad_ldap_dn, password => $ad_ldap_password); die "error binding to ad ldap: ",$result->error if ($result->code); # AD requires paged searches to return more than 1000 objects my $page = Net::L...

Getting User List from Active Directory using LDAP with Asp.Net
Dear All, Did any body worked on the below process? Getting User List from Active Directory using LDAP with Asp.Net. If Yes, Can u pls guide me to proceed? warm regards, Minor. Not sure if that was supposed to be a hyperlink or not in your post.  However, you should start with the first post in this forum for common patterns.  You are looking for all users, so you can use "(&(objectClass=user)(objectCategory=person))" as your search filter.  Ryan DunnWeblog The BookLDAP Programming Help...

Fw: Re: make Net::LDAP::LDIF more similar to Net::LDAP
Am 08.06.2004 um 18:29 Uhr haben Sie geschrieben: > On 8 Jun 2004, at 16:56, peter@adpm.de wrote: > > I\'d like to start with a code() method that tries to mimic the >> Net::LDAP one and >I assume you mean better error handling ? My first goal is having a code() method in Net::LDAP::LDIF. > > I\'d like to extend the > > Net::LDAP::Entry->update() method so that it takes a > > Net::LDAP::LDIF object as an argument. The latter one > > requires a bit of work in Net::LDAP::LDIF to make it > > correct. > Not su...

RE: Net::LDAP -> Active Directory password change attribute failure
------_=_NextPart_001_01C621ED.C1F635D4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable We use a modify/replace on the dn to change the password. However, this = operation will only succed over LDAPS and not over LDAP. Here's a sub = that we use in our account maint 'system' to change AD passwords: =20 sub _setADPasswordForUser { my ($dn, $pass) =3D @_; my $name =3D "_setADPasswordForUser"; my ( $package, $filename, $line ) =3D caller;=20 debug("$name: entering with args @_"); ...

Return All Users with User Groups from Active Directory with LDAP
Hello.  I am trying to write a report that pulls information in from Active Directory.  I have a view created that gets a listing of users and a view that creates a listing of user groups, but I can't seem to figure out how to get all user groups that are associated with the users.  This is what I have. SELECT     *FROM         OPENQUERY(ADSI, 'SELECT objectSid, samAccountName, distinguishedName FROM ''LDAP://wmdomain.local''WHERE objectClass = ''User''')    ...

Fw: Re: make Net::LDAP::LDIF more similar to Net::LDAP #2
Hi, Am 09.06.2004 um 01:44 Uhr haben Sie geschrieben: > Extending Net::LDAP::Entry to update against LDIF and LDAP objects > could allow the changetype modifications to be to produced. > > This would be really useful to produce changetypes for entry objects by > updating against an LDIF object to produce the changetype LDIF required > up to synchronise entry objects. as Graham posted you can to that already now. Simply create your Net::LDAP::Entry object with the changes option set to TRUE. Having created the ::LDIF object that way you autom...

RE: RE: Active Directory and LDAP sizelimit #2
Has anybody considered an "autopage" option for Net::LDAP? Sure would be nice to be able to do something like this: $ldap =3D Net::LDAP->new( 'ldap.bigfoot.com', autopage =3D> 500 ) or die "$@"; $ldap->search(... I may look at doing it myself if no one else is working on it. -----Original Message----- From: Don Miller [mailto:donm@uidaho.edu]=20 Sent: Tuesday, July 06, 2004 8:48 AM Cc: perl-ldap@perl.org Subject: Re: RE: Active Directory and LDAP sizelimit Here is a script with the jist of using a paged search. I chopped it up from ...

iFolder and Active Directory LDAPS (LDAP over SSL)
I am looking for some insight in getting my iFolder server communicating with an Active directory server over SSL for user Authentication. I am using iFolder 2.1.3 and Windows 2003SP1 on the servers for both iFolder server OS and Active Directory OS. I have installed the root cert for the domain on the iFolder server. When I use the iFolder installer I can extend the schema of the directory structure over 636 using SSL without any problems, it connects and looks good. When iFolder starts the logfile has the following entries Starting iFolder server, version 2.1.3 [04/06/01] Conf...

RE: Active Directory and LDAP sizelimit
Hi, Windows 2000 AD has a default limit of 1000. I THINK you can change this with the ntdsutil.exe utility on a domain controller. This utility can be used to examine and set LDAP parameters in AD. I THINK that these settings are global for your entire forest. The Q article: http://support.microsoft.com/?kbid=271088 goes into detail as to how to use this utility. http://www.jsiinc.com/SUBJ/tip4600/rh4678.htm explains the units of the various AD LDAP parameters. Also, Active Directory supports paged searches....which is what I do to retrieve more than 1000 objects. Using paged contro...

Web resources about - RE: Net::LDAP, Active Directory and Disabled Users - perl.ldap

Resources last updated: 12/30/2015 9:51:37 PM