!!!LDAP Lightweight Directory Access Protocol の略。 ネットワーク上のユーザなどの資源情報を一元管理する仕組み。 WindowsのADもLDAPの機能を提供している。 !!LinuxのコマンドによるLDAP openldap-clients が必要。 ldapsearch -h サーバ -D ユーザ -w パスワード -b サーチベース フィルタ 例: ldapsearch -h ad_host -D test@vmware.local -w pass -b "DC=vmware,DC=local" "(sAMAccountName=hoge)" ldapsearch -x -h ldap_server -b "DC=vmware,DC=local" "(uid=hoge)" !!PHPによるLDAP [[PHPでActive Directory を用いた認証]] !!PerlによるLDAP [[perl でActive Directory を用いた認証]] !!リフェラル機能 http://software.fujitsu.com/jp/manual/manualfiles/M050000/B1WN4911/01/idmgr05/idmgr279.htm リフェラル機能は、InfoDirectoryサーバからリフェラル情報(ldap-url)が通知された場合、その情報で指定されたInfoDirectoryサーバに対して同様の要求を行い情報を取得する機能です。 !!フィルタのサンプル http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx ,"Query","LDAP Filter" ,"All user objects","(&(objectCategory=person)(objectClass=user))" ,"All user objects (Note 1)","(sAMAccountType=805306368)" ,"All computer objects","(objectCategory=computer)" ,"All contact objects","(objectClass=contact)" ,"All group objects","(objectCategory=group)" ,"All organizational unit objects","(objectCategory=organizationalUnit)" ,"All container objects","(objectCategory=container)" ,"All builtin container objects","(objectCategory=builtinDomain)" ,"All domain objects","(objectCategory=domain)" ,"Computer objects with no description","(&(objectCategory=computer)(!(description=*)))" ,"Group objects with a description","(&(objectCategory=group)(description=*))" ,"Users with cn starting with "Joe"","(&(objectCategory=person)(objectClass=user)(cn=Joe*))" ,"Object with description "East\West Sales"(Note 2)","(description=East\5CWest Sales)" ,"Phone numbers in form (xxx) xxx-xxx","(telephoneNumber=(*)*-*)" ,"Groups with cn starting with"Test" or "Admin"","(&(objectCategory=group)(|(cn=Test*)(cn=Admin*)))" ,"All users with both a first and last name.","(&(objectCategory=person)(objectClass=user)(givenName=*)(sn=*))" ,"All users with direct reports but nomanager","(&(objectCategory=person)(objectClass=user)(directReports=*)(!(manager=*)))" ,"All users with specified email address","(&(objectCategory=person)(objectClass=user)(|(proxyAddresses=*:jsmith@company.com)(mail=jsmith@company.com)))" ,"Object with Common Name 'Jim * Smith'(Notes 3, 19)" ,"(cn=Jim \2A Smith)" ,"Objects with sAMAccountName that beginswith 'x', 'y', or 'z'","(sAMAccountName>=x)" ,"Objects with sAMAccountName that beginswith "a" or any number or symbol except "$"","(&(sAMAccountName<=a)(!(sAMAccountName=$*)))" ,"All users with "Password Never Expires" set(Note 4)","(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" ,"All disabled user objects (Note 4)","(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" ,"All enabled user objects (Note 4)","(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" ,"All users not required to have a password(Note 4)","(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" ,"All users with "Do not require kerberospreauthentication" enabled","(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" ,"Users with accounts that do not expire(Note 5)","(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" ,"Users with accounts that do expire (Note 5)","(&(objectCategory=person)(objectClass=user)(accountExpires>=1)(accountExpires<=9223372036854775806))" ,"Accounts trusted for delegation(unconstrained delegation)","(userAccountControl:1.2.840.113556.1.4.803:=524288)" ,"Accounts that are sensitive and not trustedfor delegation","(userAccountControl:1.2.840.113556.1.4.803:=1048574)" ,"All distribution groups (Notes 4, 15)","(&(objectCategory=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" ,"All security groups (Notes 4, 19)","(groupType:1.2.840.113556.1.4.803:=2147483648)" ,"All built-in groups (Notes 4, 16, 19)","(groupType:1.2.840.113556.1.4.803:=1)" ,"All global groups (Notes 4, 19)","(groupType:1.2.840.113556.1.4.803:=2)" ,"All domain local groups (Notes 4, 19)","(groupType:1.2.840.113556.1.4.803:=4)" ,"All universal groups (Notes 4, 19)","(groupType:1.2.840.113556.1.4.803:=8)" ,"All global security groups (Notes 17, 19)","(groupType=-2147483646)" ,"All universal security groups (Notes 17, 19)","(groupType=-2147483640)" ,"All domain local security groups(Notes 17, 19)","(groupType=-2147483644)" ,"All global distribution groups (Note 19)","(groupType=2)" ,"All objects with service principal name","(servicePrincipalName=*)" ,"Users with "Allow Access" on "Dial-in"tab of ADUC(Note 6)","(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))" ,"Users with "Control access thoughNPS Network Policy" on "Dial-in" tab of ADUC","(&(objectCategory=person)(objectClass=user)(!(msNPAllowDialin=*)))" ,"All groups created after March 1, 2011","(&(objectCategory=group)(whenCreated>=20110301000000.0Z))" ,"All users that must change their passwordat next logon","(&(objectCategory=person)(objectClass=user)(pwdLastSet=0))" ,"All users that changed their password sinceApril 15, 2011 (CST) (Note 7)","(&(objectCategory=person)(objectClass=user)(pwdLastSet>=129473172000000000))" ,"All users with "primary" groupother than "Domain Users"","(&(objectCategory=person)(objectClass=user)(!(primaryGroupID=513)))" ,"All computers with "primary" group"Domain Computers"","(&(objectCategory=computer)(primaryGroupID=515))" ,"Object with GUID"90395F191AB51B4A9E9686C66CB18D11"(Note 8)","(objectGUID=\90\39\5F\19\1A\B5\1B\4A\9E\96\86\C6\6C\B1\8D\11)" ,"Object beginning with GUID"90395F191AB51B4A"(Note 8)","(objectGUID=\90\39\5F\19\1A\B5\1B\4A*)" ,"Object with SID "S-1-5-21-73586283-152049171-839522115-1111" (Note 9)","(objectSID=S-1-5-21-73586283-152049171-839522115-1111)" ,"Object with SID "0105000000000005150000006BD662041316100943170A3257040000"(Note 9)","(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\6B\D6\62\04\13\16\10\09\43\17\0A\32\57\04\00\00)" ,"All computers that are notDomain Controllers (Note 4)","(&(objectCategory=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))" ,"All Domain Controllers (Note 4)","(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" ,"All Domain Controllers (Notes 14, 19)","(primaryGroupID=516)" ,"All servers","(&(objectCategory=computer)(operatingSystem=*server*))" ,"All member servers (not DC's) (Note 4)","(&(objectCategory=computer)(operatingSystem=*server*)(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))" ,"All direct members of specified group","(memberOf=cn=Test,ou=East,dc=Domain,dc=com)" ,"All users not direct members ofa specified group","(&(objectCategory=person)(objectClass=user)(!(memberOf=cn=Test,ou=East,dc=Domain,dc=com)))" ,"All groups with specified direct member(Note 19)","(member=cn=Jim Smith,ou=West,dc=Domain,dc=com)" ,"All members of specified group, includingdue to group nesting (Note 10)","(memberOf:1.2.840.113556.1.4.1941:=cn=Test,ou=East,dc=Domain,dc=com)" ,"All groups specified user belongs to,including due to group nesting (Notes 10, 19)","(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)" ,"Objects with givenName 'Jim*' and sn 'Smith*', or with cn 'Jim Smith*' (Note 11)","(anr=Jim Smith)" ,"All attributes in the Schema containerreplicated to the GC (Notes 6, 12)","(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" ,"All operational (constructed) attributes inthe Schema container (Notes 4, 12)","(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))" ,"All attributes in the Schema container notreplicated to other Domain Controllers(Notes 4, 12)","(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))" ,"All objects where deletion is not allowed(Notes 4)","(systemFlags:1.2.840.113556.1.4.803:=2147483648)" ,"Attributes whose values are copied whenthe object is copied (Notes 4, 12)","(searchFlags:1.2.840.113556.1.4.803:=16)" ,"Attributes preserved in tombstone objectwhen object deleted (Notes 4, 12)","(searchFlags:1.2.840.113556.1.4.803:=8)" ,"Attributes in the Ambiguous NameResolution (ANR) set (Notes 4, 12)","(searchFlags:1.2.840.113556.1.4.803:=4)" ,"Attributes in the Schema that areindexed (Notes 4, 12)","(searchFlags:1.2.840.113556.1.4.803:=1)" ,"Attributes marked confidential inthe schema (Notes 4, 12)","(searchFlags:1.2.840.113556.1.4.803:=128)" ,"Attributes in the RODC filtered attributeset, or FAC (Notes 4, 12)","(searchFlags:1.2.840.113556.1.4.803:=512)" ,"All site links in the Configurationcontainer (Note 13)","(objectClass=siteLink)" ,"The nTDSDSA objects associated withall Global Catalogs. This will identify all DC'sthat are GC's. (Note 4)","(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))" ,"The nTDSDSA object associated with thePDC Emulator. This will identify the DCwith the PDC Emulator FSMO role (Note 18).",(&(objectClass=domainDNS)(fSMORoleOwner=*)) ,"The nTDSDSA object associated with theRID Master. This will identify the DCwith the RID Master FSMO role (Note 18).",(&(objectClass=rIDManager)(fSMORoleOwner=*)) ,"The nTDSDSA object associated with theInfrastructure Master. This will identify the DCwith this FSMO role (Note 18).","(&(objectClass=infrastructureUpdate)(fSMORoleOwner=*)) " ,"The nTDSDSA object associated with theSchema Master. This will identify the DC withthe Schema Master FSMO role (Note 18).",(&(objectClass=dMD)(fSMORoleOwner=*)) ,"The nTDSDSA object associated with theDomain Naming Master. This will identify theDC with this FSMO role (Note 18).","(&(objectClass=crossRefContainer)(fSMORoleOwner=*)) " ,"All Exchange servers in the Configurationcontainer (Note 13)","(objectCategory=msExchExchangeServer)" ,"All objects protected by AdminSDHolder","(adminCount=1)" ,"All trusts established with a domain","(objectClass=trustedDomain)" ,"All Group Policy objects","(objectCategory=groupPolicyContainer)" ,"All service connection point objects","(objectClass=serviceConnectionPoint)" ,"All Read-Only Domain Controllers(Notes 4, 19)","(userAccountControl:1.2.840.113556.1.4.803:=67108864)" {{category2 ネットワーク}}