Garth, I've been working on something similar, but right now my script is rather messy and only queries 2 domains. However, I thought I would give you my 3 'workhorse' functions. They are ldapBind, getGrpMem, and printGrpMem. I have pasted them below.
What I do in my script is get an entry to a group and start processing each member. If any of the member entries matches the regex /.*CN=ForeignSecurityPrincipals.*/ then I know that the entry belongs to another domain. I then do a query on that ForeignSecurityPrincipals object to get it's objectSid. Later in my script, I query my second domain for that objectSid and extract information from it. I hope that this can assist you. If you do anything interesting with this, please post back to the list. I would be interested in an easy way to do this as well. #********************************************************************** # Takes: # $ldapConn - reference to an LDAP connection # $entry - reference to an LDAP entry that is a group # $attrib - array reference that is a list of attributes to get from each member # Returns: # Returns a list of all of the members of the group. # Example: # $members = getGrpMem($ldap,$entry,[EMAIL PROTECTED]) #********************************************************************** sub getGrpMem { my $ldapConn = shift; my $entry = shift; my $attrib = shift; my $retVal = {}; my $array = $entry->get_value('member',asref => 1); foreach my $arrayVal (@$array) { my $searchRes = $ldapConn->search( base => $arrayVal, filter => '(objectclass=*)', scope => 'base', attrs => @$attrib ); if ($searchRes->code == 0) { foreach my $entry2 ($searchRes->entries) { $retVal->{$entry2->get_value('cn')} = {}; foreach my $indAttr (@$attrib) { $retVal->{$entry2->get_value('cn')}->{$indAttr} = $entry2->get_value($indAttr); } } } else { print "Error with search for $arrayVal:\n" . $searchRes->error . "\n"; } } return $retVal; } #********************************************************************* # Takes: # $hashRef - reference to a hash of hashes that contains the group mems. # Returns: # Nothing. Just prints out the members and their attributes. #********************************************************************* sub printGrpMem { my $hashRef = shift; my @hashKeys = keys %{$hashRef}; foreach my $firstKey (@hashKeys){ print "CN: $firstKey\n"; my @hashKeys2 = keys %{$hashRef->{$firstKey}}; foreach my $subKeys (@hashKeys2){ if ($subKeys ne 'cn') { print "\t$subKeys: " . $hashRef ->{$firstKey}->{$subKeys} . "\n"; } } } } #********************************************************************* # Takes: # $ldapServer - the Distinguished Name of the ldap server # $userDN - Distinguished Name of the user logging on # $password - user password # Returns: # undef on error, ldap connection reference on success. # Example: # $ldap = ldapBind ('my.server.com', '[EMAIL PROTECTED]', 'password'); #********************************************************************* sub ldapBind { my $ldapServer = shift; my $userDN = shift; my $password = shift; my $msg; my $ldapConn = Net::LDAP->new( $ldapServer ) or die "$@"; if ($ldapConn) { if (defined($userDN) and defined($password)) { $msg = $ldapConn->bind($userDN, password=>$password) or die "$@"; } else { # anonymous bind $msg = $ldapConn->bind() or die "$@"; } if ($msg->code == 0) { return $ldapConn; } else { return undef; } } return undef; } > -----Original Message----- > From: ENGDAHL Garth [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 09, 2005 6:59 PM > To: 'perl-ldap@perl.org' > Subject: hoping this wheel exists, does not require re-inventing.. > > > hello all: I have been tasked with solving the following > problem: from a > given domain extract all the windows groups and members, > including groups > and members that have been pulled into the domain from a > number of other > domains via various trusts. For those of you who are > familiar with the tool > DumpAcl (now DumpSec), I'm trying to emulate the report that > dumps groups as > a table with the "fully expand groups" box checked. > I've done a bit of research on how this could be done with > Perl and would > much prefer to solve the problem that way rather than use a > windows app that > isn't supported and will probably break entirely the next > time Microsoft > lays another patch on windows 2000... > As much as I'd enjoy writing this myself...if someone else > already has and > is willing to point me towards the code that would be a very > fine thing > indeed. > > thanks, > garth engdahl > >