Vista - Bind to LDAP Directory

Good Morning,

Can anyone point me in the correct direction regarding binding to an
LDAP-compliant directory that is not Active Directory while using
PowerShell? I've read the docs on DirectorySearcher and DirectoryEntry and
they seem only able to connect to AD. Basically, I have a VBScript that I'd
like to port to PowerShell. The VBScript uses the OpenDSObject method, which
I cannot seem to figure out how to use in PowerShell. The line from the
VBScript is:

Set dso = GetObject("LDAP:")
Set objGroup =
dso.OpenDSObject("LDAP://myserver.mycompany.com/cn=users,o=MyCompany,c=US")

Is it possible to create a DSO object in PowerShell using the new-object
cmdlet, and if so how? If it's not possible to create a DSO object, does
anyone know another way to connect to the directory via PowerShell?

Tom G.

check out VB code using system.directoryservices namespace. you'll probably
want to use .NET framework.

"Tom G." wrote:

> Good Morning,
>
> Can anyone point me in the correct direction regarding binding to an
> LDAP-compliant directory that is not Active Directory while using
> PowerShell? I've read the docs on DirectorySearcher and DirectoryEntry and
> they seem only able to connect to AD. Basically, I have a VBScript that I'd
> like to port to PowerShell. The VBScript uses the OpenDSObject method, which
> I cannot seem to figure out how to use in PowerShell. The line from the
> VBScript is:
>
> Set dso = GetObject("LDAP:")
> Set objGroup =
> dso.OpenDSObject("LDAP://myserver.mycompany.com/cn=users,o=MyCompany,c=US")
>
> Is it possible to create a DSO object in PowerShell using the new-object
> cmdlet, and if so how? If it's not possible to create a DSO object, does
> anyone know another way to connect to the directory via PowerShell?
>
> Tom G.
>
>
>
>

to connect to AD I use this (probably not the most efficient way, but
it works for me):

$root = [ADSI]"LDAP://myserver/dc=mycompany,dc=com" #OR
$root = [ADSI]"LDAP://myserver/OU=People,dc=mycompany,dc=com" #OR
$root = [ADSI]"LDAP://OU=standard,OU=People,dc=mycompany,dc=com"

then, if I want to search

$searchAD = new-object
System.DirectoryServices.DirectorySearcher($root)
$searchAD.PageSize = 10000
$searchAD.Filter = "(`&(objectClass=computer)(cn=pc1))"
$searchResults = $searchAD.FindAll()

if there is only a result, and I want to have it as an DirectoryEntry

$DirEntry = $($searchAD.FindAll()).getDirectoryEntry() #OR

foreach ($result in $searchResults){
$temp = $result.getDirectoryEntry()
}

if I want to connect directly to an object:

$dn = [ADSI]"LDAP://cn=pc1,ou=computers,dc=mycompany,dc=com"
$DirEntry = new-object DirectoryServices.DirectoryEntry($dn)

Hope it can help you a bit.

Jorge Mestre

On Dec 11, 5:39 pm, "Tom G." <Tom.Glowa...@Sanford.com> wrote:
> Good Morning,
>
> Can anyone point me in the correct direction regarding binding to an
> LDAP-compliant directory that is not Active Directory while using
> PowerShell? I've read the docs on DirectorySearcher and DirectoryEntry and
> they seem only able to connect to AD. Basically, I have a VBScript that I'd
> like to port to PowerShell. The VBScript uses the OpenDSObject method, which
> I cannot seem to figure out how to use in PowerShell. The line from the
> VBScript is:
>
> Set dso = GetObject("LDAP:")
> Set objGroup =
> dso.OpenDSObject("LDAP://myserver.mycompany.com/cn=users,o=MyCompany,c=US")
>
> Is it possible to create a DSO object in PowerShell using the new-object
> cmdlet, and if so how? If it's not possible to create a DSO object, does
> anyone know another way to connect to the directory via PowerShell?
>
> Tom G.

Does anyone have an example that can bind to a directory other than Active
Directory?

"Tom G." <Tom.Glowacki@Sanford.com> wrote in message
news:ONC3dLUHHHA.1784@TK2MSFTNGP06.phx.gbl...
> Good Morning,
>
> Can anyone point me in the correct direction regarding binding to an
> LDAP-compliant directory that is not Active Directory while using
> PowerShell? I've read the docs on DirectorySearcher and DirectoryEntry and
> they seem only able to connect to AD. Basically, I have a VBScript that
> I'd like to port to PowerShell. The VBScript uses the OpenDSObject method,
> which I cannot seem to figure out how to use in PowerShell. The line from
> the VBScript is:
>
> Set dso = GetObject("LDAP:")
> Set objGroup =
> dso.OpenDSObject("LDAP://myserver.mycompany.com/cn=users,o=MyCompany,c=US")
>
> Is it possible to create a DSO object in PowerShell using the new-object
> cmdlet, and if so how? If it's not possible to create a DSO object, does
> anyone know another way to connect to the directory via PowerShell?
>
> Tom G.
>
>
>

Tom G. wrote:
> Does anyone have an example that can bind to a directory other than Active
> Directory?

You can do this with Netcmdlets get-ldap and set-ldap cmdlets. If
interested you can check out the beta at
http://www.nsoftware.com/powershell/. Keep in mind that it is a beta
and we are making some changes to the syntax of the cmdlets, the output
objects, as well as adding some new functionality like -changepwd. If
you have questions let me know and I can help.

"Tom G." <Tom.Glowacki@Sanford.com> wrote in message
news:OKxmFfgHHHA.2112@TK2MSFTNGP03.phx.gbl...
> Does anyone have an example that can bind to a directory other than Active
> Directory?

I don't know of a general LDAP server that I can test against, but there are
2 possible ways to approach this. The following is based on the assumption
that .NET's System.DirectoryServices namespace does not support easy "pure"
LDAP server access.

(1) Use inline VBScript with the script control.
This will allow you to directly retrieve an object instance. I can't test
the OpenDSObject statement, but the following form _should_ work with a
usable URL. (Bruce Payette talks about in-lining ActiveScript languages such
as VBScript within PowerShell to do tasks that .NET's COM wrappers won't
handle).
Here's an example:
$sc = New-Object -ComObject MSScriptControl.ScriptControl
$sc.Language = "VBScript"
$sc.AddCode('set ldap = GetObject("LDAP:")')
#next line wraps
$sc.AddCode('url =
"LDAP://myserver.mycompany.com/cn=users,o=MyCompany,c=US"')
$dso = $sc.Eval('ldap.OpenDSObject(url)')

Warning: this may not work very well for getting back something functional
due to how nasty .NET gets about COM objects it doesn't understand. For
example, if I try to do this:

$ldap = $sc.Eval('ldap')
$ldap | gm

I get the dreaded "Get-Member : No object has been specified to get-member"
error that shows up a lot in COM interop.

IF you want to use method 1 and it gives you this error when you look at
$dso (as I suspect it will) you'll need to get the data you need within
VBScript code and turn it into something you can return.

A variation of this is to load the Microsoft.VisualBasic assembly and use
VB.NET's GetObject from PowerShell instead. This has the same problems with
COM objects, so I recommend you use another alternative.

(2) Possibly use Novell's generic LDAP server library for .NET
See the following pages:
http://www.novell.com/coolsolutions/feature/11204.html
http://forge.novell.com/modules/xfco...rpLDAP-v2.1.7/

This looks like it should provide working direct access to any LDAP-standard
server. Since it is also open code (MIT license) it has some promise for
longterm support. If you want to try this yourself and can't find a binary
or compile the source, holler.

Alex, the Novell library worked very well. It's pretty easy to use and comes
with some good C# examples that are easy to adapt to PowerShell. Thank you
very much for your help.

Tom G.

"Alex K. Angelopoulos [MVP]" <aka@online.mvps.org> wrote in message
news:OIC38FhHHHA.1064@TK2MSFTNGP04.phx.gbl...
> "Tom G." <Tom.Glowacki@Sanford.com> wrote in message
> news:OKxmFfgHHHA.2112@TK2MSFTNGP03.phx.gbl...
>> Does anyone have an example that can bind to a directory other than
>> Active Directory?
>
> I don't know of a general LDAP server that I can test against, but there
> are 2 possible ways to approach this. The following is based on the
> assumption that .NET's System.DirectoryServices namespace does not support
> easy "pure" LDAP server access.
>
> (1) Use inline VBScript with the script control.
> This will allow you to directly retrieve an object instance. I can't test
> the OpenDSObject statement, but the following form _should_ work with a
> usable URL. (Bruce Payette talks about in-lining ActiveScript languages
> such as VBScript within PowerShell to do tasks that .NET's COM wrappers
> won't handle).
> Here's an example:
> $sc = New-Object -ComObject MSScriptControl.ScriptControl
> $sc.Language = "VBScript"
> $sc.AddCode('set ldap = GetObject("LDAP:")')
> #next line wraps
> $sc.AddCode('url =
> "LDAP://myserver.mycompany.com/cn=users,o=MyCompany,c=US"')
> $dso = $sc.Eval('ldap.OpenDSObject(url)')
>
> Warning: this may not work very well for getting back something functional
> due to how nasty .NET gets about COM objects it doesn't understand. For
> example, if I try to do this:
>
> $ldap = $sc.Eval('ldap')
> $ldap | gm
>
> I get the dreaded "Get-Member : No object has been specified to
> get-member" error that shows up a lot in COM interop.
>
> IF you want to use method 1 and it gives you this error when you look at
> $dso (as I suspect it will) you'll need to get the data you need within
> VBScript code and turn it into something you can return.
>
> A variation of this is to load the Microsoft.VisualBasic assembly and use
> VB.NET's GetObject from PowerShell instead. This has the same problems
> with COM objects, so I recommend you use another alternative.
>
> (2) Possibly use Novell's generic LDAP server library for .NET
> See the following pages:
> http://www.novell.com/coolsolutions/feature/11204.html
> http://forge.novell.com/modules/xfco...rpLDAP-v2.1.7/
>
> This looks like it should provide working direct access to any
> LDAP-standard server. Since it is also open code (MIT license) it has some
> promise for longterm support. If you want to try this yourself and can't
> find a binary or compile the source, holler.
>

Lance,

The NetCmdlets are pretty cool. However, I'm having some trouble
authenticating. I need to pass in a username in the format of
"cn=userid,o=orgname,c=US". The credential parameter in get-ldap doesn't
seem to support this. Any suggestions?

Tom G.

"Lance" <lmrobins@gmail.com> wrote in message
news:1165942782.290446.201130@j44g2000cwa.googlegroups.com...
> Tom G. wrote:
>> Does anyone have an example that can bind to a directory other than
>> Active
>> Directory?
>
> You can do this with Netcmdlets get-ldap and set-ldap cmdlets. If
> interested you can check out the beta at
> http://www.nsoftware.com/powershell/. Keep in mind that it is a beta
> and we are making some changes to the syntax of the cmdlets, the output
> objects, as well as adding some new functionality like -changepwd. If
> you have questions let me know and I can help.
>

You can go to a little lower level, into system.directoryservices.protocols,
with something like this:

set-variable "ADS_SCOPE_BASE" 0 -op Constant
set-variable "ADS_SCOPE_ONELEVEL" 1 -op Constant
set-variable "ADS_SCOPE_SUBTREE" 2 -op Constant

[reflection.assembly]::LoadWithPartialName("system.directoryservices.protocols") | out-null
$li = new-object
directoryservices.protocols.ldapdirectoryidentifier("server-address")
$lc = new-object directoryservices.protocols.ldapconnection($li,$null,0)
[string[]]$attr = "cn","mail" # -- attributes to be returned
$dn = "o=your.search.base" # -- distinguished name (search base)
$filter = "(uid=aname)" # -- what to look for
$scope = $ADS_SCOPE_SUBTREE # -- search sub-tree
$sr = new-object
directoryservices.protocols.searchrequest($dn,$filter,$scope,$attr)
$sr.typesonly = $false
$sr.sizelimit = 10
$resp = [directoryservices.protocols.searchresponse]$lc.sendrequest($sr)
$e = $resp.entries
Write-host "Name:" ($e[0].attributes["cn"])[0]
Write-host "E-mail:" ($e[0].attributes["mail"])[0]

Took me a while to figure this out, but it seems to work.

// Ted Brewster
--- Computing Services - Binghamton University ---

"Tom G." wrote:

> Good Morning,
>
> Can anyone point me in the correct direction regarding binding to an
> LDAP-compliant directory that is not Active Directory while using
> PowerShell? I've read the docs on DirectorySearcher and DirectoryEntry and
> they seem only able to connect to AD. Basically, I have a VBScript that I'd
> like to port to PowerShell. The VBScript uses the OpenDSObject method, which
> I cannot seem to figure out how to use in PowerShell. The line from the
> VBScript is:
>
> Set dso = GetObject("LDAP:")
> Set objGroup =
> dso.OpenDSObject("LDAP://myserver.mycompany.com/cn=users,o=MyCompany,c=US")
>
> Is it possible to create a DSO object in PowerShell using the new-object
> cmdlet, and if so how? If it's not possible to create a DSO object, does
> anyone know another way to connect to the directory via PowerShell?
>
> Tom G.
>
>
>
>

I never did see the compiled binary download link; I'll have to go back and
look. Care to post a couple of examples of using the library?

FYI for anyone else playing with LDAP, Wikipedia seems to have a _lot_ of
useful resource links:
http://en.wikipedia.org/wiki/LDAP


"Tom G." <Tom.Glowacki@Sanford.com> wrote in message
news:Onj4TDkHHHA.3616@TK2MSFTNGP06.phx.gbl...
> Alex, the Novell library worked very well. It's pretty easy to use and
> comes with some good C# examples that are easy to adapt to PowerShell.
> Thank you very much for your help.
>
> Tom G.
>
> "Alex K. Angelopoulos [MVP]" <aka@online.mvps.org> wrote in message
> news:OIC38FhHHHA.1064@TK2MSFTNGP04.phx.gbl...
>> "Tom G." <Tom.Glowacki@Sanford.com> wrote in message
>> news:OKxmFfgHHHA.2112@TK2MSFTNGP03.phx.gbl...
>>> Does anyone have an example that can bind to a directory other than
>>> Active Directory?
>>
>> I don't know of a general LDAP server that I can test against, but there
>> are 2 possible ways to approach this. The following is based on the
>> assumption that .NET's System.DirectoryServices namespace does not
>> support easy "pure" LDAP server access.
>>
>> (1) Use inline VBScript with the script control.
>> This will allow you to directly retrieve an object instance. I can't test
>> the OpenDSObject statement, but the following form _should_ work with a
>> usable URL. (Bruce Payette talks about in-lining ActiveScript languages
>> such as VBScript within PowerShell to do tasks that .NET's COM wrappers
>> won't handle).
>> Here's an example:
>> $sc = New-Object -ComObject MSScriptControl.ScriptControl
>> $sc.Language = "VBScript"
>> $sc.AddCode('set ldap = GetObject("LDAP:")')
>> #next line wraps
>> $sc.AddCode('url =
>> "LDAP://myserver.mycompany.com/cn=users,o=MyCompany,c=US"')
>> $dso = $sc.Eval('ldap.OpenDSObject(url)')
>>
>> Warning: this may not work very well for getting back something
>> functional due to how nasty .NET gets about COM objects it doesn't
>> understand. For example, if I try to do this:
>>
>> $ldap = $sc.Eval('ldap')
>> $ldap | gm
>>
>> I get the dreaded "Get-Member : No object has been specified to
>> get-member" error that shows up a lot in COM interop.
>>
>> IF you want to use method 1 and it gives you this error when you look at
>> $dso (as I suspect it will) you'll need to get the data you need within
>> VBScript code and turn it into something you can return.
>>
>> A variation of this is to load the Microsoft.VisualBasic assembly and use
>> VB.NET's GetObject from PowerShell instead. This has the same problems
>> with COM objects, so I recommend you use another alternative.
>>
>> (2) Possibly use Novell's generic LDAP server library for .NET
>> See the following pages:
>> http://www.novell.com/coolsolutions/feature/11204.html
>> http://forge.novell.com/modules/xfco...rpLDAP-v2.1.7/
>>
>> This looks like it should provide working direct access to any
>> LDAP-standard server. Since it is also open code (MIT license) it has
>> some promise for longterm support. If you want to try this yourself and
>> can't find a binary or compile the source, holler.
>>
>
>