#1 2024-11-29 10:18:33

johnnysynop
Member
Registered: 2018-07-01
Posts: 37

LDAP ad search

Hello,

Is this possible relatively easy with mORMot2 search for user in AD?
I need two functionalities:

1. Search for user and display details (attributes) based on sAMaccountName
2. List all users, groups in given domain.

Can you guys help with code?

Offline

#2 2024-11-29 11:45:34

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,679
Website

Re: LDAP ad search

TLdapClient can do all this.

The easiest is to first search in the code and its documentation.
After two seconds search, you would find TLdapClient high-level methods like GetUserInfo, GetGroups and GetUsers.

Offline

#3 2024-12-01 13:51:12

johnnysynop
Member
Registered: 2018-07-01
Posts: 37

Re: LDAP ad search

Thank you, simple advice, but effective.
Works like a charm! Finally some good AD stuff for Delphi/Pascal!

Offline

#4 2024-12-01 15:32:40

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,679
Website

Re: LDAP ad search

We are still working on it, including validating it with some huge AD (150,000 users, and 300,000 groups - don't ask me why).
It is already much faster than the ldap3 client in python: we use the mORMot LDAP client instead of python's now for our IT code.
And it has some unique features, like the automatic detection of the local AD using CLDAP broadcasting over the network.

Offline

#5 2024-12-01 23:40:29

johnnysynop
Member
Registered: 2018-07-01
Posts: 37

Re: LDAP ad search

Good, only tough tests can reveals issues...so 150k, 300k are not "too big"

btw:  LdapClient.GetUsers, is any problem known for users 1000+ or some special usage needed?
If more than 1000 I'm gettings 0 found, if tested on about 850 then listed all and worked perfect.

Last edited by johnnysynop (2024-12-01 23:57:51)

Offline

#6 Yesterday 07:46:48

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,679
Website

Re: LDAP ad search

Ah you are right, pagination were not enabled for this method.

Please try
https://github.com/synopse/mORMot2/commit/5ab2fa97
It should be enabled now for all high-level GetUser GetGroups GetComputers methods.

Offline

#7 Yesterday 09:05:38

johnnysynop
Member
Registered: 2018-07-01
Posts: 37

Re: LDAP ad search

Number of users found: 6657
...
...
All listed.


Works brilliantly, thank you.

Last edited by johnnysynop (Yesterday 09:08:52)

Offline

#8 Yesterday 10:19:38

johnnysynop
Member
Registered: 2018-07-01
Posts: 37

Re: LDAP ad search

@ab,
I found another possible issue, or maybe I'm missing something.

It seems that domain local groups (gtDomainLocal) are not included in the group listing returned by GetGroups (with no filter applied).
If this is the default behavior, how can I force it to include all groups?

Currently, all 'Security Group - Domain Local' type groups are missing from the list. From that scr:  https://i.imgur.com/PXLMGeQ.png

Last edited by johnnysynop (Yesterday 12:32:46)

Offline

#9 Yesterday 12:38:09

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,679
Website

Re: LDAP ad search

If you leave FilterUac and UnFilterUac to their default [] there should be no restriction in the generated filter.

The filter used should be '(sAMAccountType=268435456)' which should return all groups.
Or is this filter wrong?
Perhaps we should also include satNonSecurityGroup = 268435457
(I am no AD expert myself)

Offline

#10 Yesterday 13:19:12

johnnysynop
Member
Registered: 2018-07-01
Posts: 37

Re: LDAP ad search

Yep, I thought the same that no filter should return all, so it's not returning all sad
Sounds like bug, it should work on this filter


Groups := LdapClient.GetGroups(
  [],
  [], 
  '', 
  '', 
  '',
  nil 
   //
);

I have tried also with different values

Groups := LdapClient.GetGroups(
  [],
  [],
  '',
  '(sAMAccountType=268435456)',
  '',
  nil,
  atDistinguishedName
);

Last edited by johnnysynop (Yesterday 13:55:38)

Offline

#11 Yesterday 13:35:16

johnnysynop
Member
Registered: 2018-07-01
Posts: 37

Re: LDAP ad search

To be super clear.
1. Testing on latest todays commits with pagination fix
2. I have 130 groups, mORMot finds me 125 count and listing 125 - missing totally those 5 groups from screenshot https://i.imgur.com/PXLMGeQ.png :
type "Security Group - Domain Local" (with attr as below)
groupType= "-2147483644"
sAMAccountType= "536870912"

With no filter, it should simply list it too.
With or without different filters anyway those are missing.

Last edited by johnnysynop (Yesterday 14:15:24)

Offline

#12 Yesterday 14:21:29

johnnysynop
Member
Registered: 2018-07-01
Posts: 37

Re: LDAP ad search

How to use it? Assuming code above? I doubt it will help...

ab wrote:

Perhaps we should also include satNonSecurityGroup = 268435457
(I am no AD expert myself)

Offline

#13 Yesterday 14:36:01

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,679
Website

Re: LDAP ad search

In fact, after discussion here with my local AD experts, sounds like if we should not use sAMAccountType at all.

We will use object classes, with some caveats (e.g. that a computer inherits from the user objectclass).
Stay tuned.

Offline

#14 Yesterday 16:44:22

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,679
Website

Re: LDAP ad search

OK, I have made a huge refactoring of the LDAP client unit, introducing a new TObjectFilter enumerate.
In fact, having the proper filter e.g. for users, computers or groups is kind of complex, because sAMAccountType=% does not work as we expected.

For your particular issue, please try GetGroups() with
https://github.com/synopse/mORMot2/commit/d6b2c5ec
Now I can see local groups returned.

Offline

Board footer

Powered by FluxBB