LDAP searches of AD

LDAP searches of AD

Post by Joshua Hesling » Fri, 10 Jan 2003 06:19:07



I have a couple of questions about searching Active Directory via LDAP. We
have Exchange 2000 but want to be able to allow our non-Exchange (POP3)
users to search AD for e-mail addresses.

MS KB article 269690 talks a little bit about this for OE 5/6, and using the
settings there, I'm able to point OE to port 3268 on a global catalog server
with a search base of NULL, provide some credentials, and find whoever I
want. Here are my 2 questions:

1) Is it possible to adjust the security on Active Directory to allow
anonymous LDAP searches?

2) Does anyone know how to search LDAP via a non-Microsoft e-mail client
(Eudora, Netscape, Mozilla, etc.)? You can put the same settings that you
use in OE into Netscape, and you don't get anywhere (no results returned).

With Mozilla 1.2, I'm able to search if I use a Base DN of
"dc=child_domain_name,dc=root_domain_name" and a Bind DN of
"cn=account_name,cn=Users,dc=child_domain_name,dc=root_domain_name", but
this only gets me accounts in a single domain. I can't seem to find the
magic LDAP syntax that would search the entire forest (I've tried
"o=Exchange_organization_name", "dc=root_domain_name", etc.) I don't have
any of these problems searching non-Microsoft LDAP directories.

I've found postings in Google's groups and Microsoft's groups about this,
but no one seems to have any answers as to what's different about AD or how
to search it with non-Microsoft clients. I'm not a LDAP guru and would
appreciate any help.

 
 
 

LDAP searches of AD

Post by phoenix1 » Fri, 10 Jan 2003 11:21:04



> I have a couple of questions about searching Active Directory via LDAP. We
> have Exchange 2000 but want to be able to allow our non-Exchange (POP3)
> users to search AD for e-mail addresses.

> MS KB article 269690 talks a little bit about this for OE 5/6, and using the
> settings there, I'm able to point OE to port 3268 on a global catalog server
> with a search base of NULL, provide some credentials, and find whoever I
> want. Here are my 2 questions:

> 1) Is it possible to adjust the security on Active Directory to allow
> anonymous LDAP searches?

> 2) Does anyone know how to search LDAP via a non-Microsoft e-mail client
> (Eudora, Netscape, Mozilla, etc.)? You can put the same settings that you
> use in OE into Netscape, and you don't get anywhere (no results returned).

> With Mozilla 1.2, I'm able to search if I use a Base DN of
> "dc=child_domain_name,dc=root_domain_name" and a Bind DN of
> "cn=account_name,cn=Users,dc=child_domain_name,dc=root_domain_name", but
> this only gets me accounts in a single domain. I can't seem to find the
> magic LDAP syntax that would search the entire forest (I've tried
> "o=Exchange_organization_name", "dc=root_domain_name", etc.) I don't have
> any of these problems searching non-Microsoft LDAP directories.

> I've found postings in Google's groups and Microsoft's groups about this,
> but no one seems to have any answers as to what's different about AD or how
> to search it with non-Microsoft clients. I'm not a LDAP guru and would
> appreciate any help.

I'm in the same boat as you are man!!
I'm buying the active directory book from o'reilly.com......well
recommended.  I found several ldap things on technet...but they are very
general...not specific enough for this situation.

good luck man!!

Oskar

 
 
 

LDAP searches of AD

Post by Kevin Lasenb » Fri, 10 Jan 2003 23:23:15


LDAP and AD are fun aren't they ;)

Answer to 1: yes you can, when you ran DCPromo it asked if
you wanted "Pre windows 2000 access" or not.  Saying "yes"
gives anonymous access to AD, saying "no" (recommended)
prevents this.  There is a group in AD called "Pre-Windows
2000 Compatible Access" that will enable anonymous access
if you selected "no".

Answer to 2: If you bind to port 3268 on a Global Catalog
server and set your base DN to be either blank, or the
root of your forest it should return all GC replicated
objects in the forest.  I'd recommend installing the
Windows 2000 Support tools (from the CD) and testing with
LDP.exe.

Good luck!

Quote:>-----Original Message-----
>I have a couple of questions about searching Active

Directory via LDAP. We
Quote:>have Exchange 2000 but want to be able to allow our non-
Exchange (POP3)
>users to search AD for e-mail addresses.

>MS KB article 269690 talks a little bit about this for OE
5/6, and using the
>settings there, I'm able to point OE to port 3268 on a

global catalog server
Quote:>with a search base of NULL, provide some credentials, and
find whoever I
>want. Here are my 2 questions:

>1) Is it possible to adjust the security on Active
Directory to allow
>anonymous LDAP searches?

>2) Does anyone know how to search LDAP via a non-

Microsoft e-mail client
Quote:>(Eudora, Netscape, Mozilla, etc.)? You can put the same
settings that you
>use in OE into Netscape, and you don't get anywhere (no
results returned).

>With Mozilla 1.2, I'm able to search if I use a Base DN of
>"dc=child_domain_name,dc=root_domain_name" and a Bind DN
of
>"cn=account_name,cn=Users,dc=child_domain_name,dc=root_dom
ain_name", but
>this only gets me accounts in a single domain. I can't
seem to find the
>magic LDAP syntax that would search the entire forest
(I've tried
>"o=Exchange_organization_name", "dc=root_domain_name",
etc.) I don't have
>any of these problems searching non-Microsoft LDAP
directories.

>I've found postings in Google's groups and Microsoft's
groups about this,
>but no one seems to have any answers as to what's

different about AD or how

- Show quoted text -

Quote:>to search it with non-Microsoft clients. I'm not a LDAP
guru and would
>appreciate any help.

>.

 
 
 

LDAP searches of AD

Post by bv » Fri, 31 Jan 2003 09:26:05


I'm trying to use the ADSI SDK's IDirectorySearch Interface objects
converting the MS C++ and VB examples to Delphi with no success. I wish
I knew what I was doing wrong.

Here is what i have so far.

uses ComCtrls, comobj, activeds_tlb, activex;

procedure TForm1.Button4Click(Sender: TObject);
var
    i : integer;
    hr : HResult;
    col : ads_search_column ;
    pSearchPref: Array[0..10] of ADS_SEARCHPREF_INFO;
    pszAttrNames: Array[0..10] of pWideChar; // WideString; // LPWSTR;
    pszSearchBase: WideString; // LPWSTR;
    pszSearchFilter: WideString; // LPWSTR;
    pszUserName: WideString; // LPWSTR;
    pszPassword: WideString; // LPWSTR;
    dwNumberAttributes: LongInt; // DWORD;
    dwCurrPref: DWORD;
    dwAuthFlags: DWORD;
    pDSSearch: IDirectorySearch;
    hSearchHandle: Pointer; // ADS_SEARCH_HANDLE;

begin
    pszUserName := '';
    pszPassword := '';
    dwNumberAttributes := -1;
    dwAuthFlags := 0;
    hr := S_OK;
    pDSSearch := Nil;
    hSearchHandle := Nil;

    pszSearchBase := 'LPAD://DC=yourDomain,DC=com';
    hr := ADsOpenObject(pszSearchBase,
              pszUserName,
              pszPassword,
              dwAuthFlags,
              IID_IDirectorySearch,
              pDSSearch);

    dwCurrPref := 0;
    (*
    pSearchPref[dwCurrPref].dwSearchPref := ADS_SEARCHPREF_SEARCH_SCOPE;
    pSearchPref[dwCurrPref].vValue.dwType := ADSTYPE_INTEGER;
    pSearchPref[dwCurrPref].vValue.__MIDL_0010.Integer := 100;
    Inc(dwCurrPref);
    *)

    // pszAttrNames[0] := 'ADsPath';
    // pszAttrNames[1] := 'Name';
    // pszAttrNames[2] := 'samAccountName';
    // dwNumberAttributes := 1;

    if (dwCurrPref > 0) then begin
        hr := pDSSearch.SetSearchPreference(
                    pSearchPref[0],
                    dwCurrPref );
      if (hr <> S_OK) then begin
          for i := 0 to dwCurrPref - 1 do begin
              if (pSearchPref[i].dwStatus <> ADS_STATUS_S_OK) then begin
                  ShowMessage( 'Error in setting the preference ' +
                      pszAttrNames[pSearchPref[i].dwSearchPref] +
                      ': status = ' + IntToStr(pSearchPref[i].dwStatus) );
              end;
          end;
      end;
    end;

    pszSearchFilter := '(objectCategory=user)';
    hr := pDSSearch.ExecuteSearch(
                pWideChar(pszSearchFilter),
                pszAttrNames[0],
                dwNumberAttributes,
                hSearchHandle );

    hr := pDSSearch.GetNextRow( hSearchHandle );
    lbDsSearch.Items.Add('pDSSearch.GetNextRow( hSearchHandle ): hr=' +
IntToHex(hr,8));
    while (hr <> S_ADS_NOMORE_ROWS) do begin
        hr := pDSsearch.GetColumn(hSearchHandle, pszAttrNames[0], col);
        if Succeeded(hr) then begin
            case col.dwADsType of
                ADSTYPE_CASE_IGNORE_STRING:

lbDsSearch.Items.Add(col.pADsValues.__MIDL_0010.CaseIgnoreString);
            else
                lbDsSearch.Items.Add('Unexpected ADsType: ' +
IntToHex(col.dwADsType,8) );
            end;
            if col.pADsValues <> nil then begin

 lbDsSearch.Items.Add(col.pADsValues.__MIDL_0010.CaseIgnoreString);
            end;
            search.FreeColumn(col);
        end;
        hr := pDSSearch.GetNextRow( hSearchHandle );
    end;
end;

-Brooks Vaughn


>I have a couple of questions about searching Active Directory via LDAP. We
>have Exchange 2000 but want to be able to allow our non-Exchange (POP3)
>users to search AD for e-mail addresses.

>MS KB article 269690 talks a little bit about this for OE 5/6, and using the
>settings there, I'm able to point OE to port 3268 on a global catalog server
>with a search base of NULL, provide some credentials, and find whoever I
>want. Here are my 2 questions:

>1) Is it possible to adjust the security on Active Directory to allow
>anonymous LDAP searches?

>2) Does anyone know how to search LDAP via a non-Microsoft e-mail client
>(Eudora, Netscape, Mozilla, etc.)? You can put the same settings that you
>use in OE into Netscape, and you don't get anywhere (no results returned).

>With Mozilla 1.2, I'm able to search if I use a Base DN of
>"dc=child_domain_name,dc=root_domain_name" and a Bind DN of
>"cn=account_name,cn=Users,dc=child_domain_name,dc=root_domain_name", but
>this only gets me accounts in a single domain. I can't seem to find the
>magic LDAP syntax that would search the entire forest (I've tried
>"o=Exchange_organization_name", "dc=root_domain_name", etc.) I don't have
>any of these problems searching non-Microsoft LDAP directories.

>I've found postings in Google's groups and Microsoft's groups about this,
>but no one seems to have any answers as to what's different about AD or how
>to search it with non-Microsoft clients. I'm not a LDAP guru and would
>appreciate any help.

 
 
 

LDAP searches of AD

Post by Carl Appello » Sat, 01 Feb 2003 04:37:51


Well, here's a stupid question.  Do you really have "LPAD" in your string,
as shown below in your code sample?  If so, change it to "LDAP" !

Otherwise, what's not working?

Carl


> I'm trying to use the ADSI SDK's IDirectorySearch Interface objects
> converting the MS C++ and VB examples to Delphi with no success. I wish
> I knew what I was doing wrong.

...

>     pszSearchBase := 'LPAD://DC=yourDomain,DC=com';
>     hr := ADsOpenObject(pszSearchBase,
>               pszUserName,
>               pszPassword,
>               dwAuthFlags,
>               IID_IDirectorySearch,
>               pDSSearch);

 
 
 

LDAP searches of AD

Post by Brooks Vaugh » Wed, 05 Feb 2003 02:07:49


Thanks for the reply.

Yes it was correct (LDAP://...) in the program code... Just a typo in
the E-Mail message.

Still not successful in using the

iDirectorySearch object.

-Brooks


>Well, here's a stupid question.  Do you really have "LPAD" in your string,
>as shown below in your code sample?  If so, change it to "LDAP" !

>Otherwise, what's not working?

>Carl


>>I'm trying to use the ADSI SDK's IDirectorySearch Interface objects
>>converting the MS C++ and VB examples to Delphi with no success. I wish
>>I knew what I was doing wrong.

>...

>>    pszSearchBase := 'LPAD://DC=yourDomain,DC=com';
>>    hr := ADsOpenObject(pszSearchBase,
>>              pszUserName,
>>              pszPassword,
>>              dwAuthFlags,
>>              IID_IDirectorySearch,
>>              pDSSearch);

 
 
 

LDAP searches of AD

Post by Brooks Vaugh » Wed, 05 Feb 2003 02:08:12


Thanks for the reply.

Yes it was correct (LDAP://...) in the program code... Just a typo in
the E-Mail message.

Still not successful in using the

iDirectorySearch object.

-Brooks


>Well, here's a stupid question.  Do you really have "LPAD" in your string,
>as shown below in your code sample?  If so, change it to "LDAP" !

>Otherwise, what's not working?

>Carl


>>I'm trying to use the ADSI SDK's IDirectorySearch Interface objects
>>converting the MS C++ and VB examples to Delphi with no success. I wish
>>I knew what I was doing wrong.

>...

>>    pszSearchBase := 'LPAD://DC=yourDomain,DC=com';
>>    hr := ADsOpenObject(pszSearchBase,
>>              pszUserName,
>>              pszPassword,
>>              dwAuthFlags,
>>              IID_IDirectorySearch,
>>              pDSSearch);

 
 
 

1. AD Search for Mailbox/PF

Hi all

I need to find out whether a given Exchange Server has a
Mailbox store and/or a Public store.

I am planning to search AD for these properties of the
store,

msExchEDBFile - Mailbox store
msExchOwningPFTree - Public store

Is this way a permissible way or is there any other better
way to achieve this ??

Any help is much appreciated

Many Thanks
Jam

2. Exchange 5.5

3. Searching AD for SMTP address owner

4. Multiple user access to one inbox.

5. Searching Public Folders Locations in AD

6. LOG FILES Pls. Helppppppppppppp

7. Can the Netscape client search the AD?

8. error c1030b35 can't creat a new mail box

9. Slow LDAP API Search

10. Address Lists Custom Search LDAP Base object

11. Very long time searching external LDAP

12. LDAP search based on Organization unit

13. Non-IIS guru requires LDAP search facilities