Posix attributes not returned when using ldapsearch against Active Directory

Question

In our organization, we have ActiveDirectory set up with Identity Management for Unix (IDMU). When I look in ADUC on the Attribute Editor tab, I can see the posix attributes on my account (eg. gidNumber, uidNumber, etc...). However, if I run an ldapsearch against AD those attributes are not returned.

Here's the form of my command:

ldapsearch \
  -H 'ldaps://ad.example.org:3269' \
  -b 'dc=example,dc=org' \
  -s sub \
  -D 'CN=ldapsearch,OU=Service Accounts,OU=IT,DC=example,DC=org' \
  -y ~/password.txt \
  -o ldif-wrap=no \
  '(sAMAccountName=myuser)' cn uidNumber gidNumber

It only returns the dn & cn. The uidNumber & gidNumber attributes are omitted.

Any ideas?

score 1 · Accepted Answer · answered Oct 31 '19 at 21:13

It appears you're connecting to the Global Catalog port (3269) rather than the standard SSL port (636). The uidNumber and gidNumber attributes are not replicated to the Global Catalog by default, so it won't return them.

You can either change your port to 636 or if you need to be able to query these from Global Catalog servers, you can modify your AD schema to add them.

Posix attributes not returned when using ldapsearch against Active Directory

1 Answers1