Garth,

I've been working on something similar, but right now my script is rather messy 
and only queries 2 domains.  However, I thought I would give you my 3 
'workhorse' functions.  They are ldapBind, getGrpMem, and printGrpMem.  I have 
pasted them below.

What I do in my script is get an entry to a group and start processing each 
member.  If any of the member entries matches the regex 
/.*CN=ForeignSecurityPrincipals.*/ then I know that the entry belongs to 
another domain.  I then do a query on that ForeignSecurityPrincipals object to 
get it's objectSid.  Later in my script, I query my second domain for that 
objectSid and extract information from it.

I hope that this can assist you.  If you do anything interesting with this, 
please post back to the list.  I would be interested in an easy way to do this 
as well.


#**********************************************************************
#       Takes:
#               $ldapConn - reference to an LDAP connection
#               $entry - reference to an LDAP entry that is a group
#               $attrib - array reference that is a list of attributes to get 
from each member
#       Returns:
#               Returns a list of all of the members of the group.
#       Example:
#               $members = getGrpMem($ldap,$entry,[EMAIL PROTECTED])
#**********************************************************************
sub getGrpMem {
        my $ldapConn = shift;
        my $entry = shift;
        my $attrib = shift;
        my $retVal = {};

        my $array = $entry->get_value('member',asref => 1);
        foreach my $arrayVal (@$array) {
                my $searchRes = $ldapConn->search(
                        base => $arrayVal,
                        filter => '(objectclass=*)',
                        scope => 'base',
                        attrs => @$attrib
                );
                if ($searchRes->code == 0) {
                        foreach my $entry2 ($searchRes->entries) {
                                $retVal->{$entry2->get_value('cn')} = {};
                                foreach my $indAttr (@$attrib) {
                                        
$retVal->{$entry2->get_value('cn')}->{$indAttr} = $entry2->get_value($indAttr);
                                }
                        }
                } else {
                        print "Error with search for $arrayVal:\n" . 
$searchRes->error . "\n";
                }
        }

        return $retVal;
}

#*********************************************************************
#       Takes:
#               $hashRef - reference to a hash of hashes that contains the 
group mems.
#       Returns:
#               Nothing.  Just prints out the members and their attributes.
#*********************************************************************
sub printGrpMem {
        my $hashRef = shift;
        my @hashKeys = keys %{$hashRef};
        foreach my $firstKey (@hashKeys){
                print "CN: $firstKey\n";
                my @hashKeys2 = keys %{$hashRef->{$firstKey}};
                foreach my $subKeys (@hashKeys2){
                        if ($subKeys ne 'cn') {
                                print "\t$subKeys: " . $hashRef 
->{$firstKey}->{$subKeys} . "\n";
                        }
                }
        }
}

#*********************************************************************
#       Takes:
#               $ldapServer - the Distinguished Name of the ldap server
#               $userDN - Distinguished Name of the user logging on
#               $password - user password
#       Returns:
#               undef on error, ldap connection reference on success.
#       Example:
#               $ldap = ldapBind ('my.server.com', '[EMAIL PROTECTED]', 
'password');
#*********************************************************************
sub ldapBind {
        my $ldapServer = shift;
        my $userDN = shift;
        my $password = shift;
        my $msg;

        my $ldapConn = Net::LDAP->new( $ldapServer ) or die "$@";
        if ($ldapConn) {
                if (defined($userDN) and defined($password)) {
                        $msg = $ldapConn->bind($userDN, password=>$password) or 
die "$@";
                } else {        # anonymous bind
                        $msg = $ldapConn->bind() or die "$@";
                }
                if ($msg->code == 0) {
                        return $ldapConn;
                } else {
                        return undef;
                }
        }
        return undef;
}



> -----Original Message-----
> From: ENGDAHL Garth [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 09, 2005 6:59 PM
> To: 'perl-ldap@perl.org'
> Subject: hoping this wheel exists, does not require re-inventing..
> 
> 
> hello all: I have been tasked with solving the following 
> problem: from a
> given domain extract all the windows groups and members, 
> including groups
> and members that have been pulled into the domain from a 
> number of other
> domains via various trusts.  For those of you who are 
> familiar with the tool
> DumpAcl (now DumpSec), I'm trying to emulate the report that 
> dumps groups as
> a table with the "fully expand groups" box checked. 
> I've done a bit of research on how this could be done with 
> Perl and would
> much prefer to solve the problem that way rather than use a 
> windows app that
> isn't supported and will probably break entirely the next 
> time Microsoft
> lays another patch on windows 2000...
> As much as I'd enjoy writing this myself...if someone else 
> already has and
> is willing to point me towards the code that would be a very 
> fine thing
> indeed.
>  
> thanks,
> garth engdahl
>  
> 

Reply via email to