3.2.10 Example 10: Obtain a List of User Accounts Using LDAP

  • Article

To obtain a list of user accounts in the Active Directory system, LDAP can be used to query the directory. A client can create a query with a supplied filter to locate accounts that are based on specific criteria. To perform this task, a user runs a client application from a client computer that sends a query targeting a directory server in the Active Directory system.

This example covers the use case in section 2.7.1.2, Search for Directory Object - Client Application.

Prerequisites

The general requirements described in section 2.6, Assumptions and Preconditions.

The Active Directory system meets all preconditions described in section 2.7.1.2.

Initial System State

None.

Final System State

The requested information for the user object(s) is returned to the client application.

Sequence of Events

The following sequence diagram shows the message flow that is associated with this example.

Message flow for obtaining a list of user accounts using LDAP

Figure 55: Message flow for obtaining a list of user accounts using LDAP

Unless otherwise noted, all responses that include a return code contain a return code that indicates that the operation was successfully performed.

  1. The client application starts and an LDAP bind request ([RFC2251] section 4.2) is sent to the directory server with credentials.

  2. The directory server verifies the credentials ([MS-AUTHSOD] section 2) and sends an LDAP bind response ([RFC2251] section 4.2.3) to the client application.

  3. The user interacts with the client application and provides details of the search criteria to be performed on the directory tree. The client application sends an LDAP search request ([RFC2251] section 4.5.1) to the directory, querying the entire domain. It starts at the root of the domain, looking for users ([MS-ADSC] section 2.246 or [MS-ADLS] section 3.62) and requesting all attributes.

  4. The directory server sends an LDAP search response ([RFC2251] section 4.5.2) that contains the list of users under the domain NC. The client application organizes this information and displays it to the user. Search filters and results are additionally validated by the server's processing rules and constraints described in [MS-ADTS] sections 3.1.1.3.1.3 and 3.1.1.3.4.6.

  5. The client application sends an LDAP unbind request ([RFC2251] section 4.3) to the directory server. The LDAP connection to the directory server is closed.