Garth,
I've been working on something similar, but right now my script is rather messy
and only queries 2 domains. However, I thought I would give you my 3
'workhorse' functions. They are ldapBind, getGrpMem, and printGrpMem. I have
pasted them below.
What I do in my script is get an entry to a group and start processing each
member. If any of the member entries matches the regex
/.*CN=ForeignSecurityPrincipals.*/ then I know that the entry belongs to
another domain. I then do a query on that ForeignSecurityPrincipals object to
get it's objectSid. Later in my script, I query my second domain for that
objectSid and extract information from it.
I hope that this can assist you. If you do anything interesting with this,
please post back to the list. I would be interested in an easy way to do this
as well.
#**********************************************************************
# Takes:
# $ldapConn - reference to an LDAP connection
# $entry - reference to an LDAP entry that is a group
# $attrib - array reference that is a list of attributes to get
from each member
# Returns:
# Returns a list of all of the members of the group.
# Example:
# $members = getGrpMem($ldap,$entry,[EMAIL PROTECTED])
#**********************************************************************
sub getGrpMem {
my $ldapConn = shift;
my $entry = shift;
my $attrib = shift;
my $retVal = {};
my $array = $entry->get_value('member',asref => 1);
foreach my $arrayVal (@$array) {
my $searchRes = $ldapConn->search(
base => $arrayVal,
filter => '(objectclass=*)',
scope => 'base',
attrs => @$attrib
);
if ($searchRes->code == 0) {
foreach my $entry2 ($searchRes->entries) {
$retVal->{$entry2->get_value('cn')} = {};
foreach my $indAttr (@$attrib) {
$retVal->{$entry2->get_value('cn')}->{$indAttr} = $entry2->get_value($indAttr);
}
}
} else {
print "Error with search for $arrayVal:\n" .
$searchRes->error . "\n";
}
}
return $retVal;
}
#*********************************************************************
# Takes:
# $hashRef - reference to a hash of hashes that contains the
group mems.
# Returns:
# Nothing. Just prints out the members and their attributes.
#*********************************************************************
sub printGrpMem {
my $hashRef = shift;
my @hashKeys = keys %{$hashRef};
foreach my $firstKey (@hashKeys){
print "CN: $firstKey\n";
my @hashKeys2 = keys %{$hashRef->{$firstKey}};
foreach my $subKeys (@hashKeys2){
if ($subKeys ne 'cn') {
print "\t$subKeys: " . $hashRef
->{$firstKey}->{$subKeys} . "\n";
}
}
}
}
#*********************************************************************
# Takes:
# $ldapServer - the Distinguished Name of the ldap server
# $userDN - Distinguished Name of the user logging on
# $password - user password
# Returns:
# undef on error, ldap connection reference on success.
# Example:
# $ldap = ldapBind ('my.server.com', '[EMAIL PROTECTED]',
'password');
#*********************************************************************
sub ldapBind {
my $ldapServer = shift;
my $userDN = shift;
my $password = shift;
my $msg;
my $ldapConn = Net::LDAP->new( $ldapServer ) or die "$@";
if ($ldapConn) {
if (defined($userDN) and defined($password)) {
$msg = $ldapConn->bind($userDN, password=>$password) or
die "$@";
} else { # anonymous bind
$msg = $ldapConn->bind() or die "$@";
}
if ($msg->code == 0) {
return $ldapConn;
} else {
return undef;
}
}
return undef;
}
> -----Original Message-----
> From: ENGDAHL Garth [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 09, 2005 6:59 PM
> To: '[email protected]'
> Subject: hoping this wheel exists, does not require re-inventing..
>
>
> hello all: I have been tasked with solving the following
> problem: from a
> given domain extract all the windows groups and members,
> including groups
> and members that have been pulled into the domain from a
> number of other
> domains via various trusts. For those of you who are
> familiar with the tool
> DumpAcl (now DumpSec), I'm trying to emulate the report that
> dumps groups as
> a table with the "fully expand groups" box checked.
> I've done a bit of research on how this could be done with
> Perl and would
> much prefer to solve the problem that way rather than use a
> windows app that
> isn't supported and will probably break entirely the next
> time Microsoft
> lays another patch on windows 2000...
> As much as I'd enjoy writing this myself...if someone else
> already has and
> is willing to point me towards the code that would be a very
> fine thing
> indeed.
>
> thanks,
> garth engdahl
>
>
