none
PowerShell, LDAP and retrieving operational attributes RRS feed

  • Question

  • Hello. I am using powershell and DirectoryServices.DirectorySearcher ldap code to query a non-AD LDAP server. I can retrieve all attributes except operational attributes such as createtimestamp and modifytimestamp.

    Interestingly, if I switch to using the LDAPConnection class in the Protocols namespace, and specify "+" in the attribute list, I can retrieve operational attributes, but not any other attributes.

    Does anyone have suggestions on how I can retrieve these attributes?

    Thanks

    Friday, January 15, 2016 8:20 PM

Answers

  • I don't believe you can retrieve operational attributes with DirectorySearcher. In the past, I always bind to the object with the DN and retrieve the value(s) with code similar to:

    $User = [ADSI]"LDAP://$UserDN"
    $User.psbase.RefreshCache("tokenGroups")
    $SIDs = $User.Properties.Item("tokenGroups")

    I do this even though I am retrieving other attributes for the user or users with DirectorySearcher, so I must have found this to be the only method that worked.

    Edit: Of course, I am querying AD. I don't have a non-AD LDAP server.


    Richard Mueller - MVP Enterprise Mobility (Directory Services)


    Friday, January 15, 2016 9:25 PM
    Moderator

All replies

  • I don't believe you can retrieve operational attributes with DirectorySearcher. In the past, I always bind to the object with the DN and retrieve the value(s) with code similar to:

    $User = [ADSI]"LDAP://$UserDN"
    $User.psbase.RefreshCache("tokenGroups")
    $SIDs = $User.Properties.Item("tokenGroups")

    I do this even though I am retrieving other attributes for the user or users with DirectorySearcher, so I must have found this to be the only method that worked.

    Edit: Of course, I am querying AD. I don't have a non-AD LDAP server.


    Richard Mueller - MVP Enterprise Mobility (Directory Services)


    Friday, January 15, 2016 9:25 PM
    Moderator
  • That is correct. If you specify any property you have to specify every property you want.


    \_(ツ)_/

    Friday, January 15, 2016 9:32 PM
  • If I explicitly list the attributes and include one or more of the operational attributes, it completely chokes.

    --actually..it shows the operational values but on the regular attributes it says

    You cannot call a method on a null-valued expression
    At line 62 char 3
    $searchEntries.attributes["givenname"].GetValue('string')

    • Edited by PSWizard Friday, January 15, 2016 10:37 PM
    Friday, January 15, 2016 10:22 PM
  • Here is the code....notice the "+" for the attributelist parameter

    [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
    [System.Reflection.Assembly]::LoadWithPartialName("System.Net")
    
    #Connect 
    
    $c = New-Object System.DirectoryServices.Protocols.LdapConnection "ldapserver"
    
    
    #Set session options
    
    $c.SessionOptions.SecureSocketLayer = $false;
               
    
    # Pick Authentication type
     
    $c.AuthType = [System.DirectoryServices.Protocols.AuthType]::Basic
               
    
    # Gets username and pwd. 
    
    $user = "user"
    $pass = "pass"
    $credentials = new-object "System.Net.NetworkCredential" -ArgumentList $user,$pass
    
    # Bind with the network credentials. Depending on the type of server, 
    
    $c.Bind($credentials);
    
    $basedn = "ou=somecontainer"
    $filter = "(&(objectClass=person)(uniqueIdentifier=value))"
    $scope = [System.DirectoryServices.Protocols.SearchScope]::Subtree
    $attrlist = ,"+"
    
    $r = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $basedn,$filter,$scope,$attrlist
    
    
    $re = $c.SendRequest($r);
    
    foreach($searchEntries in $re.Entries)
    {
      $searchEntries.attributes['createtimestamp'].GetValues('string')
      $searchEntries.attributes['sn'].GetValues('string')
    
    }



    • Edited by PSWizard Friday, January 15, 2016 10:46 PM
    Friday, January 15, 2016 10:43 PM
  • If I explicitly list the attributes and include one or more of the operational attributes, it completely chokes.

    --actually..it shows the operational values but on the regular attributes it says

    You cannot call a method on a null-valued expression
    At line 62 char 3
    $searchEntries.attributes["givenname"].GetValue('string')

    Doesn't make any sense.


    \_(ツ)_/

    Saturday, January 16, 2016 3:13 AM
  • Here is the code....notice the "+" for the attributelist parameter

    [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
    [System.Reflection.Assembly]::LoadWithPartialName("System.Net")
    
    #Connect 
    
    $c = New-Object System.DirectoryServices.Protocols.LdapConnection "ldapserver"
    
    
    #Set session options
    
    $c.SessionOptions.SecureSocketLayer = $false;
               
    
    # Pick Authentication type
     
    $c.AuthType = [System.DirectoryServices.Protocols.AuthType]::Basic
               
    
    # Gets username and pwd. 
    
    $user = "user"
    $pass = "pass"
    $credentials = new-object "System.Net.NetworkCredential" -ArgumentList $user,$pass
    
    # Bind with the network credentials. Depending on the type of server, 
    
    $c.Bind($credentials);
    
    $basedn = "ou=somecontainer"
    $filter = "(&(objectClass=person)(uniqueIdentifier=value))"
    $scope = [System.DirectoryServices.Protocols.SearchScope]::Subtree
    $attrlist = ,"+"
    
    $r = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $basedn,$filter,$scope,$attrlist
    
    
    $re = $c.SendRequest($r);
    
    foreach($searchEntries in $re.Entries)
    {
      $searchEntries.attributes['createtimestamp'].GetValues('string')
      $searchEntries.attributes['sn'].GetValues('string')
    
    }



    I have no idea where you got this from but it appears to be total nonsense.

    Try to state what it is you are trying to accomplish. Don't post some kind of badly converted code that you do not understand.


    \_(ツ)_/

    Saturday, January 16, 2016 3:18 AM
  • If I explicitly list the attributes and include one or more of the operational attributes, it completely chokes.

    --actually..it shows the operational values but on the regular attributes it says

    You cannot call a method on a null-valued expression
    At line 62 char 3
    $searchEntries.attributes["givenname"].GetValue('string')


    What you are posting makes no sense.  If you ask for a bad attribute then the add will fail with an exception

    \_(ツ)_/

    Saturday, January 16, 2016 3:26 AM
  • Retrieving operational attribute like tokenGroups is allowed with Base search, see sample code below:


    Axel Limousin ITSI - IT Training School 93300 Aubervilliers, France

    Unfortunately your code has many missing parts such as "$LDAP_Connection_Service." not being defined and the required types are not being loaded.


    \_(ツ)_/

    Sunday, June 10, 2018 5:02 PM
  • Also note that an LDAP filter that specifies a 'SamAccountName" does not require any other filter elements as that attribute is unique within a domain.

    Richard Mueller's solution is much simpler when grabbing an accounts token groups.


    \_(ツ)_/


    • Edited by jrv Sunday, June 10, 2018 5:14 PM
    Sunday, June 10, 2018 5:12 PM