LDAP Search on Active Directory

Question

I'm trying to do a request to find all accounts that will expire in less than 30 days (from a linux server and thus using ldapsearch).

Here is the request I send to the AD server :

ldapsearch -x -h IP -D "[domain][user]" -w [password] -b "DC=[DC],DC=[DC]" -s sub "(&(objectCategory=person)(objectClass=user)(accountExpires>=1)(accountExpires<=30))"

I don't get any name since all the accounts seem to have an accountExpires that is either 0 or 2^63 -1.

When I launch this request from a windows powershell (on a windows server) I get the correct answer :

Search-ADAccount -AccountExpiring -TimeSpan 30.00:00:00 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A

Can you explain me why my ldapsearch doesn't give the same result ?

Thank you !

Answer 1

The format of the accountExpires attribute is the number of 100-nanosecond intervals since January 1, 1601 (UTC). See these details for the attribute:

The date when the account expires. This value represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.

So you will need to format a Linux/Unix timestamp to that format to get the correct value to send to AD. It could be something like (excuse the poor bash skills...):

# Get the windows timestamp value for 30 days from now...
expires_at=$(($(($(date -d "+30 days" +"%s") * 10000000)) + 116444736000000000))

Then the LDAP filter:

(&(objectCategory=person)(objectClass=user)(accountExpires>=1)(accountExpires<=$expires_at))