Attributes not being release from AD

Dave Perry Dave.Perry at hull-college.ac.uk
Mon Feb 15 05:20:38 EST 2016 

Highly recommend Softerra LDAP Browser for browsing AD under windows. I just have to login to the domain using my staff account and away it goes.

It doesn't even have to be a recent version. I think we've got one that's 2 years old on our machines and it's still behaving itself browsing our domain.


Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk *

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Douglas E Engert
Sent: 12 February 2016 14:11
To: users at shibboleth.net
Subject: Re: Attributes not being release from AD

The uid attribute can be defined in AD, but requires your windows admins to populate it. It may not be set in your domain.
I don't have access to AD since I retired when we were using IDP 2, but you may want to look at AD using some windows tools such as these:

  https://technet.microsoft.com/en-us/sysinternals/adexplorer.aspx

  https://support.microsoft.com/en-us/kb/224543


Using ldapsearch from unix might also give you some insight into what attributes are in your AD and what your AD admins have done to keep the data clean. Its also a good way to understand LDAP searching and filters.
For example write some filters to look around for user entries that don't have attributes set as you might expect.


You AD admins may have users located locations other then  CN=users,DC=coastal,DC=edu.
If you have a forest users may be in the forest domains. You did get some referrals, these may be for the sub domains.

with IDP 2 the basic filter we used was:
(&(objectClass=user)(sAMAccountName=$instancePrincipalName.get(0))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

AD has some special filters to look at the bits is userAccountControl, 2 was the account is locked.

  https://support.microsoft.com/en-us/kb/269181

If all the attributes you need are in the Global catalog which is a collections of some attributes from the forest, you can search the GC.

Work with you AD adminms so you use attributes they maintain.


On 2/11/2016 10:11 PM, Daniel Fisher wrote:
> On Thu, Feb 11, 2016 at 5:03 PM, Michael Richter <mrichter at coastal.edu <mailto:mrichter at coastal.edu>> wrote:
>
>     2016-02-11 16:58:52,577 - DEBUG [org.ldaptive.SearchOperation:168] - execute response=[org.ldaptive.Response at 364560346::result=[org.ldaptive.SearchResult at 4303153::entries=[], references=[]],
>     resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[ldap://DomainDnsZones.coastal.edu/DC=DomainDnsZones,DC=coastal,DC=edu
>     <http://DomainDnsZones.coastal.edu/DC=DomainDnsZones,DC=coastal,DC=edu>, ldap://ForestDnsZones.coastal.edu/DC=ForestDnsZones,DC=coastal,DC=edu
>     
> <http://ForestDnsZones.coastal.edu/DC=ForestDnsZones,DC=coastal,DC=edu
> >, ldap://coastal.edu/CN=Configuration,DC=coastal,DC=edu 
> <http://coastal.edu/CN=Configuration,DC=coastal,DC=edu>], 
> messageId=-1]
>
>
> Your search produced no entries, but you did get some referrals.
>
>     for 
> request=[org.ldaptive.SearchRequest at 1651751780::baseDn=DC=coastal, 
> DC=edu, 
> searchFilter=[org.ldaptive.SearchFilter at 311971475::filter=(uid=mrichte
> r),
>
>
> Confirm that baseDn and search filter are correct. Doesn't active directory store users under a branch like CN=users,DC=coastal,DC=edu?
>
> --Daniel Fisher
>
>
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT

More information about the users mailing list