- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can someone explain to me where the attrs argument pulls its attributes from? Originally I thought it was essentially the "-Properties" flag from Get-ADuser and I would be able to use those properties but whenever I try it says "External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: PasswordExpirationDate "." Where is the attrs list? How can I define more attrs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the late reply... Just started back working on this. For anyone who is curious, the answer was the port we were using had less attributes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @williamcclark,
The ldapsearch command attrs argument is similar to the Get-ADUser cmdlet Properties parameter; however, unlike Get-ADUser, ldapsearch does not return a default set of LDAP attributes. Using ldapsearch without the attrs argument is equivalent to running Get-ADUser -Properties *. (Technically, the default value for attrs is the Python constant ldap3.ALL_ATTRIBUTES, which evaluates to *.)
To limit the attributes returned, provide a comma-delimited list to the attrs argument:
| ldapsearch attrs="sn,givenName,sAMAccountName"
In the add-on code, "Invalid attributes types in attrs list" is returned when a requested attribute is not present in the directory schema.
How are you using the ldapsearch command? Is it being used by another app or add-on? Does the use case expect a schema extension that isn't installed on your target directory? For example, are you searching for Exchange-related attributes in a directory that does not have the Exchange schema extensions installed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tscroggins I was using the search app to run
| ldapsearch search="(&(objectClass=user))" attrs=name, accountExpires
accountExpires is the attribute causing the aforementioned error. I know the property exists because I am able to call it via Get-ADUser.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That may be an off by one error in the script block that checks attributes and writes error messages; name isn't a valid attribute. Instead of name, try cn, displayName, sAMAccountName, givenName, sn, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Name does return a value, as does every other attribute you listed. How is name not valid? Isn't it just pulling from properties in AD?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, you are correct. "name" is the relative distinguished name (RDN) of the object. If the object's distinguished name is CN=foo,DC=example,DC=com, the name value should be foo.
accountExpires is a valid attribute in my Windows Server 2022 Active Directory environment.
A slightly modified version of the search works for me:
| ldapsearch search="(&(objectClass=user))" attrs="name,accountExpires"
What other information can you provide about your Active Directory environment?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the late reply... Just started back working on this. For anyone who is curious, the answer was the port we were using had less attributes.
