Skip to content

Connection to LDAP server

Jump to bottom
Jiri Formacek edited this page Nov 22, 2024 · 1 revision

Implicit LDAP connection

Starting with version 2.1.5, Get-LdapConnection command saves connection object to session variable, so you do not have to pass it as parameter to other commands. Result of most recent call of Get-LdapConnection is stored.
However, you can still store it in variable and use it as parameter - this is useful when you need to work with multiple connections at the same time.

Simple object lookup

#gets connection to domain controller of your own domain on port 389 with your current credentials and stores it to session variable
Get-LdapConnection | Out-Null
#gets RootDSE object using connection stored in session variable
$Dse = Get-RootDSE
#perform the search
#Ldap connection is taken from session variable when not specified in parameter
Find-LdapObject `
  -SearchFilter:"(&(cn=jsmith)(objectClass=user)(objectCategory=organizationalPerson))" `
  -SearchBase:"ou=Users,$($Dse.defaultNamingContext)" `
  -PropertiesToLoad:@("sAMAccountName","objectSid") `
  -BinaryProps:@("objectSid")

Ldap Connection parameters

Encryption types

#Connects to LDAP server with TLS encryption
$Ldap = Get-LdapConnection -LdapServer ldap.mydomain.com -EncryptionType TLS

#Connects to LDAP server with SSL encryption
#Note: Port must be SSL port
$Ldap = Get-LdapConnection -LdapServer ldap.mydomain.com `
  -EncryptionType SSL `
  -Port 636

#Connects to LDAP server with Kerberos encryption - does not require SSL cert on LDAP server!
$Ldap = Get-LdapConnection -LdapServer ldap.mydomain.com `
  -EncryptionType Kerberos

Credentials and authentication

Basic authentication:

#Connects to LDAP server with explicit credentials and Basic authentication
#Note: Server may require encryption to allow connection or searching of data

$Ldap = Get-LdapConnection -LdapServer ldap.mydomain.com `
  -EncryptionType Kerberos `
  -Credential (Get-Credential) `
  -AuthType Basic

Basic authentication with distinguishedName - Get-Credential command may not work properly with dn, so we're collecting credential a diferent way. This may be best way to connect to Active Directory from non-Windows machines:

#get password as secure string 
$password = Read-Host -AsSecureString
#create credential object
$cred = new-object PSCredential("cn=userAccount,o=mycompany",$password)
$Ldap = Get-LdapConnection -LdapServer ldap.mydomain.com -Port 636 `
  -Credential $cred `
  -AuthType Basic `
  -EncryptionType SSL

Kerberos authentication with explicit credentials:

#Connects to LDAP server with explicit credentials (requires AdmPwd.E powershell module)
#and password retrieved on the fly via AdmPwd.E
$credential = Get-AdmPwdCredential `
  -UserName myAccount@mydomain.com
$Ldap = Get-LdapConnection -LdapServer ldap.mydomain.com `
  -EncryptionType Kerberos `
  -Credential $Credential

Client certificate authentication and allowing server certificate from CA with unavailable CRL:

#connect to server and authenticate with client certificate
$thumb = '059d5318118e61fe54fd361ae07baf4644a67347'
cert = (dir Cert:\CurrentUser\my).Where{$_.Thumbprint -eq $Thumb}[0]
Get-LdapConnection -LdapServer "mydc.mydomain.com" `
  -Port 636 `
  -ClientCertificate $cert `
  -CertificateValidationFlags [System.Security.Cryptography.X509Certificates.X509VerificationFlags]::IgnoreRootRevocationUnknown

Clone this wiki locally