I have code that works correctly to connect to an Active Directory server:
Dim oDSObj: Set oDSObj = GetObject("LDAP:")
Dim oAuth: Set oAuth = oDSObj.OpenDSObject("LDAP://ldap.domain.com", "DOMAIN\username", "password", 1)
However, I can't seem to figure out the syntax to make this work against an OpenLDAP Server:
Dim oDSObj: Set oDSObj = GetObject("LDAP:")
Dim oAuth: Set oAuth = oDSObj.OpenDSObject("LDAP://ldap.domain.com/ou=Users", "username", "password", 1)
To be honest, I'm a bit of a n00b when it comes to LDAP, so I don't understand what dc vs cn vs ou means (I know they stand for org unit, common name etc) but I don't get when you need to tack that on to queries.
Once I connect to the Active Directory server, the following code queries it:
dc = ""
Set oConn = Server.CreateObject("ADODB.Connection")
oConn.Provider = "ADSDSOObject"
oConn.Open "Ads Provider", "DOMAIN\username", "password" '
Dim rs: Set rs = oConn.Execute("<LDAP://ldap.domain.com" & dc & ">;(& (objectCategory=person)(objectClass=user)(sAMAccountName=" & GetLDAPUserName(sPerson) & "));name,mail,telephoneNumber;subtree")
But I realize that sAMAccountName is an AD specific thing, so the openLDAP code will need a different syntax.
The user is 'ldapuser' with a password of 'password', stored here:
ou=Users,dc=domain,dc=com
What is the code to connect to that LDAP server and query for account info?
I finally figured it out:
sUser = "myusername"
sDN = "cn=" & sUser & ",ou=people,dc=company,dc=com"
sRoot = "LDAP://ldapservername.com/dc=company,dc=com"
Dim oDS: Set oDS = GetObject("LDAP:")
Dim oAuth: Set oAuth = oDS.OpenDSObject(sRoot, sDN, "password", &H0200)
Dim oConn: Set oConn = CreateObject("ADODB.Connection")
oConn.Provider = "ADSDSOObject"
oConn.Open "Ads Provider", sDN, "password"
Dim rs
Set rs = oConn.Execute("<" & sRoot & ">;(uid=" & sUser & ");cn,mail,telephoneNumber;subtree")
wscript.echo rs("cn").value
wscript.echo rs("mail").value
wscript.echo rs("telephoneNumber").value
Thanx a lot for your code Michael. I've modified it to simply authenticate users (user-password) using the central OpenLDAP server. Here is the code that worked for me (MSAccess 2003):
sUser = "TheUserName"
sDN = "uid=" & sUser & ",o=users,dc=MyDomain,dc=it"
sRoot = "LDAP://MyLDAPServer/o=users,dc=MyDomain,dc=it"
Dim oDS: Set oDS = GetObject("LDAP:")
On Error GoTo AuthError
Dim oAuth: Set oAuth = oDS.OpenDSObject(sRoot, sDN, "ThePassword", &H200)
On Error GoTo 0
MsgBox "Login Successful"
Exit Sub
AuthError:
If Err.Number = -2147023570 Then
MsgBox "Wrong Username or password !!!"
End If
On Error GoTo 0
Related
I am creating a script that will allow me to enter a username in our domain, and have it look up attributes from their AD profile.
So first I am getting the users' DN. Once I have that - I can run;
Set objAD = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & ***I NEED DN HERE***)
and query specific attributes to be output.
So what I need to do is somehow get the DN into a variable to put into the LDAP query. I know (I think) I need to get it from the Do Loop below, but am having a complete blank and can't figure out how to just put the whole DN into a variable.
Username = InputBox("Enter UserName to lookup...")
Set rootDSE = GetObject("LDAP://RootDSE")
base = "<LDAP://" & rootDSE.Get("defaultNamingContext") & ">"
fltr = "(&(objectClass=user)(objectCategory=Person)" & "(sAMAccountName=" & UserName & "))"
attr = "distinguishedName,sAMAccountName"
scope = "subtree"
Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADsDSOObject"
conn.Open "Active Directory Provider"
Set cmd = CreateObject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.CommandText = base & ";" & fltr & ";" & attr & ";" & scope
Set rs = cmd.Execute
Do Until rs.EOF
WScript.Echo rs.Fields("distinguishedName").Value
rs.MoveNext
Loop
rs.Close
conn.Close
In case anyone has the same problem - it was an easy fix.
Just needed to write it to a variable instead of echoing.
Do Until rs.EOF
strDN = rs.Fields("distinguishedname").value
rs.MoveNext
Loop
I am experiencing difficulty with the following VBS
set conn = createobject("ADODB.Connection")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
strQueryDL = "<LDAP://company.address.com/cn=address>;(&(objectCategory=person)(objectClass=user));distinguishedName,adspath;subtree"
set objCmd = createobject("ADODB.Command")
objCmd.ActiveConnection = Conn
objCmd.Properties("SearchScope") = 2 ' we want to search everything
objCmd.Properties("Page Size") = 500 ' and we want our records in lots of 500
objCmd.CommandText = strQueryDL
Set objRs = objCmd.Execute
While Not objRS.eof
wscript.echo objRS.Fields("distinguishedName")
' do something with objRS.Fields("distinguishedName")'
objRS.MoveNext
Wend
Please help me, I just started vbscripting and this was from an answer in this website.
wscript.echo objRS.Fields("distinguishedName")
The error was from the above line/code. How do I display out the field or convert it to display?
LDAP://company.address.com/cn=address is not a valid LDAP URL (see here). The search base must be a distinguished name, e.g.:
LDAP://company.address.com/cn=address,dc=address,dc=com
The distinguished name of the domain (dc=address,dc=com) can be obtained like this:
Set rootDSE = GetObject("LDAP://RootDSE")
WScript.Echo rootDSE.Get("defaultNamingContext")
I am trying to port over Thunderbird/Firefox profile customization scripts from OS X to Windows 7. On OS X they are super simple, using ldapsearch -x -h ldap.place.edu uid="username" to retrieve the email address, real name etc from the OpenLDAP server then throwing these variables into the various configuration files before the applications are loaded.
On Windows this is much more complex, I started trying to use the search.vbs activedirectory/ldap tool that comes with Windows Server 2003 but it doesn't work properly, I also tried simply writing a quick vbs script to connect and query but I always get errors either that the server won't process the request or that just fails... here is my latest vbs script that totally flunks out...
Dim oConn,oRS,vSearch,vCount,vMailList,vValue,vProblem,vMsg
vProblem = False
vSearch = "(uid=username)"
Set oConn = CreateObject("ADODB.Connection")
oConn.Provider = "ADsDSOObject"
oConn.Open "ADs Provider", "ou=people,dc=place,dc=edu"
Set oRS = oConn.Execute("<LDAP://ldap.place.edu/dc=edu/dc=place>;" & vSearch &_";cn,mail")
vCount = 1
While not oRS.EOF
For Each vValue in oRS.Fields(0).value
WScript.Echo vValue
Next
vCount = vCount + 1
oRS.MoveNext
Wend
Figured it out a little while back and totally forgot about this, so here it is. I realised I was trying to connect to a anonymous server but was providing a DN while implies a password level of authentication instead of the simple version I needed.
'Server name
sRoot = "LDAP://server"
Dim oDS: Set oDS = GetObject("LDAP:")
'Don't provide a DN for anonymous authentication, also &H0010 implies simple auth mode
Dim oAuth: Set oAuth = oDS.OpenDSObject(sRoot, "", "", &H0010)
Dim oConn: Set oConn = CreateObject("ADODB.Connection")
oConn.Provider = "ADSDSOObject"
oConn.Open "Ads Provider", sDN
Dim rs
'Execute query
Set rs = oConn.Execute("<" & sRoot & ">;(uid=testuser);cn,mail;subtree")
'retrieve values
z = rs.Fields.Item(0).Value
x = rs.Fields.Item(1).Value
I'm trying to write a vb script that prompts a user for a schema attribute which I'll call bID and checks that the person with that bID is in active directory. I really have no idea how to get started, there are plenty of examples on how to query active directory users but I havent found a good one regarding checking against specific attributes. Any help/suggestions are greatly appreciated!
UPDATE:
ok heres my code so far, doesnt error out and returns 0, but I dont get a wscript.echo of the distinguished name for some reason. I included a few debugging wscript.echo's and it seems to never get into the while loop. Any ideas?
Option Explicit
GetUsers "CN=users,DC=example,DC=example,DC=example,DC=com","123456"
Function GetUsers(domainNc, ID)
Dim cnxn
Set cnxn = WScript.CreateObject("ADODB.Connection")
cnxn.Provider = "ADsDSOObject"
cnxn.Open "Active Directory Provider"
Dim cmd
Set cmd = WScript.CreateObject("ADODB.Command")
cmd.ActiveConnection = cnxn
cmd.CommandText = "<LDAP://" & domainNc & ">;(&(objectCategory=user)(objectClass=user) (employeeNumber=" & ID & "));distinguishedName;subtree"
WScript.Echo cmd.CommandText
cmd.Properties("Page Size") = 100
cmd.Properties("Timeout") = 30
cmd.Properties("Cache Results") = False
WScript.Echo "setting cmd.properties"
Dim rs
Set rs = cmd.Execute
WScript.Echo "rs object set"
While Not rs.eof
On Error Resume Next
WScript.Echo "while loop start"
Wscript.Echo rs.fields("distinguishedName".Value)
rs.MoveNext
If (Err.Number <> 0) Then
WScript.Echo vbCrLf& "Error # "& CStr(Err.Number)& " "& Err.Description
Else
On Error GoTo 0
End If
Wend
WScript.Echo "while loop end"
rs.close
WScript.Echo "rs object closed"
cnxn.Close
Set rs = Nothing
Set cmd = Nothing
Set cnxn = Nothing
End Function
Here's some vbscript that will find all users with bID=FooVal and write their DN out
Function GetUsers(domainNc, bIdVal)
Dim cnxn
Set cnxn = WScript.CreateObject("ADODB.Connection")
cnxn.Provider = "ADsDSOObject"
cnxn.Open "Active Directory Provider"
Dim cmd
Set cmd = WScript.CreateObject("ADODB.Command")
cmd.ActiveConnection = cnxn
cmd.CommandText = "<LDAP://" & domainNc & ">;(&(objectCass=user)(objectCategory=person)(bid=" & bidVal & "));distinguishedName;subtree"
cmd.Properties("Page Size") = 100
cmd.Properties("Timeout") = 30
cmd.Properties("Cache Results") = False
Dim rs
Set rs = cmd.Execute
While Not rs.eof
Wscript.Echo rs.fields("distinguishedName").Value
rs.MoveNext
Wend
rs.close
cnxn.Close
Set rs = Nothing
Set cmd = Nothing
Set cnxn = Nothing
End Function
In Active Directory, there is a tab called "Dial-In", and under that tab is a radio button control with three settings:
Allow Access
Deny Access
Control access through remote access policy
I'd like to write a VBScript to take a user name, and return the setting for that user.
(I'm actually modifying an existing VBScript, which is why I am forced to use that tool).
What is the best way to do that?
Here is the best solution I was able to come up with. It is easy to modify it to output the setting for all users.
Main
Function Main
'Usage: cscript /nologo lookup.vbs mydomain username
Wscript.Echo CanDialIn(Wscript.Arguments(0), Wscript.Arguments(1))
Main = 0
End Function
Function CanDialIn(domainname, username)
'Take a user name and query whether they have permission to Dial in or not
'http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0825.mspx
Const ADS_SCOPE_SUBTREE = 2
Dim objConnection
Dim objCommand
Dim objRecordSet
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
'Three possible values for msNPAllowDialin:
'TRUE = "Allow Access"
'FALSE = "Deny Access"
'EMPTY = "Control access through remote access policy"
objCommand.CommandText = _
"SELECT msNPAllowDialin FROM 'LDAP://dc=" & domainname & ",dc=com' WHERE objectCategory='user' AND sAMAccountName = '" & username & "'"
On Error Resume Next
Set objRecordSet = objCommand.Execute
if objRecordSet.EOF then
CanDialIn = "Could not find user " & username
else
if objRecordSet.Fields("msNPAllowDialin").Value = True then
CanDialIn = "Allow"
else
if objRecordSet.Fields("msNPAllowDialin").Value = False then
CanDialIn = "Deny"
else
CanDialIn = "Control"
end if
end if
end if
End Function