Who's leaving the company?

Inspired by this post, I wanted to see if I could do the same thing. LDAP is cool.

I started from zero knowledge, so here are the steps that will probably be obvious to experienced users.

1. First, type realm list to get general information about your domain.

   The output will contain your realm-name, which we’ll set as example.lan for the purposes of this tutorial.

2. Next:

   nslookup -type=SRV _ldap_tcp.example.lan
   

   This command will display full hostnames for your Domain Controllers (there will be several, as replicas).

3. You should now be able to run ldapwhoami:

   ldapwhoami -H ldap://<URL of the DC> -Y GSSAPI -v
   

4. Generic search for users:

   ldapsearch -H ldap://<URL of the DC> -Y GSSAPI -v -b "DC=example,DC=lan" "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName givenName sn mail
   

Depending on how your administrator has set up the records, you may have people disappearing from the records when they quit / are fired, or they may get assigned a flag, or added to an organizational unit (maybe it’s called “terminated” or something similar).

So you’ll have to filter according to the logic implemented at your place.

In addition, maybe you’ll not have any use for some of these fields above (like givenName, or sn), but in that case, run it without filters:

ldapsearch -H ldap://<URL of the DC> -Y GSSAPI -v -b "DC=example,DC=lan" "(objectClass=user)" 

Implementing an epitaph service is left as an exercise to the reader.