I work at a place where Groupwise and NDS is still used; unfortunate I know. �Prior to implementing an identity management solution I needed to compare users with NDS against Active Directory. �By utilizing the free Netcmdlets package's Get-Ldap cmdlet I was able to make that happen.

However, before I could get to that point I had create a secure method of passing credentials to the NDS server. �This can be accomplished by creating a credential and exporting it to an XML which keeps it on the file system for later use. �To do this you need to use PowerShell's Get-Credential cmdlet. �By default, this cmdlet prompts you with a GUI message box to input the username and password.

To authenticate with NDS the username needs to be in the form cn=user,o=something. Get-Credential won't accept this because it's looking for an Active Directory username.

To get around this, the first task you must do is set the ConsolePrompting registry string to a string value of True.

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds -Name ConsolePrompting -Value "True"

Once you do this, Get-Credential will now prompt you via the console and allow non-standard usernames. Now created a credential object with the NDS username and password.

$cred = Get-Credential

## Step through the username and password prompts here

Export-Clixml -InputObject $cred -Path secret_user.xml 

Now we've got a way to pull credentials without typing in a password every time. �Now to get the credentials from the XML file and query the NDS server via LDAP to find all users on the server.

$nds_cred = Import-Clixml 'secret_user.xml'
Get-Ldap -server SERVERNAME -search 'objectclass=person' -DN 'o=DNNAME' -Credential $cred | 
    Select-Object @{Name='Username';Expression={$_.cn}},
    @{Name='Firstname';Expression={$_.givenname}},
    @{Name='Lastname';Expression={$_.sn}},
    @{Name='EmployeeNumber';Expression={$_.workforceid}},
    @{Name='LoginTime';Expression={$_.loginTime[0]}},
    @{Name='DN';Expression={$_.ResultDN}} 

The heavy lifting is done via the Get-Ldap cmdlet. All I needed to do was pass the server name I want to query, the LDAP search string (in this case all person objects), the base DistinguishedName I want to start the search at along with the credential to access the server. Just for a pretty display I chose to use Select-Object's calculated properties.

Join the Jar Tippers on Patreon

It takes a lot of time to write detailed blog posts like this one. In a single-income family, this blog is one way I depend on to keep the lights on. I'd be eternally grateful if you could become a Patreon patron today!

Become a Patron!