Posted: June 6, 2013 | Author: Kyle Crawford | Filed under: Active Directory, Deployment, LDAP, Mac OS X, Mac OS X Server, Scripting, Security, Unix | Tags: Active Directory, security, dsconfigad, AD, computer, password, account, system keychain, keychain, one-liner |
Does that count as a one liner?
Posted: December 1, 2011 | Author: Kyle Crawford | Filed under: Active Directory, LDAP, Security, Unix | Tags: auth, authentication, digest, gssapi, Kerberos, LDAP, ldapsearch, list, mechanisms, password, sasl, security |
You don’t have to use insecure clear text Simple BIND authentication for accessing your LDAP servers.
Get list of supported authentication mechanisms:
ldapsearch -h example.com -x -b "" -s base -LLL supportedSASLMechanisms
Kerberos GSSAPI Example:
kinit
ldapsearch -v -Y GSSAPI -h example.com -b "DC=example,DC=com" "(sAMAccountName=someusername)"
DIGEST-MD5 Example:
ldapsearch -v -Y DIGEST-MD5 -h example.com -U someusername -R example.com -b "DC=example,DC=com"\
"(sAMAccountName=someusername)"
Note: For Active Directory Digest Authentication to work, you may need to enable Reversible encryption on the account’s password and change the user’s password once.
