3.2.10 Example 10: Obtain a List of User Accounts Using LDAP
To obtain a list of user accounts in the Active Directory system, LDAP can be used to query the directory. A client can create a query with a supplied filter to locate accounts that are based on specific criteria. To perform this task, a user runs a client application from a client computer that sends a query targeting a directory server in the Active Directory system.
This example covers the use case in section 22.214.171.124, Search for Directory Object - Client Application.
The general requirements described in section 2.6, Assumptions and Preconditions.
The Active Directory system meets all preconditions described in section 126.96.36.199.
Initial System State
Final System State
The requested information for the user object(s) is returned to the client application.
Sequence of Events
The following sequence diagram shows the message flow that is associated with this example.
Figure 55: Message flow for obtaining a list of user accounts using LDAP
Unless otherwise noted, all responses that include a return code contain a return code that indicates that the operation was successfully performed.
The user interacts with the client application and provides details of the search criteria to be performed on the directory tree. The client application sends an LDAP search request ([RFC2251] section 4.5.1) to the directory, querying the entire domain. It starts at the root of the domain, looking for users ([MS-ADSC] section 2.246 or [MS-ADLS] section 3.62) and requesting all attributes.
The directory server sends an LDAP search response ([RFC2251] section 4.5.2) that contains the list of users under the domain NC. The client application organizes this information and displays it to the user. Search filters and results are additionally validated by the server's processing rules and constraints described in [MS-ADTS] sections 188.8.131.52.1.3 and 184.108.40.206.4.6.
The client application sends an LDAP unbind request ([RFC2251] section 4.3) to the directory server. The LDAP connection to the directory server is closed.