Home page logo
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

File ldap-rootdse

Script types: portrule
Categories: discovery, safe
Download: https://svn.nmap.org/nmap/scripts/ldap-rootdse.nse

User Summary

Retrieves the LDAP root DSA-specific Entry (DSE)

Example Usage

nmap -p 389 --script ldap-rootdse <host>

Script Output

389/tcp open  ldap
| ldap-rootdse:
|     currentTime: 20100112092616.0Z
|     subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=cqure,DC=net
|     dsServiceName: CN=NTDS Settings,CN=LDAPTEST001,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=cqure,DC=net
|     namingContexts: DC=cqure,DC=net
|     namingContexts: CN=Configuration,DC=cqure,DC=net
|     namingContexts: CN=Schema,CN=Configuration,DC=cqure,DC=net
|     namingContexts: DC=DomainDnsZones,DC=cqure,DC=net
|     namingContexts: DC=ForestDnsZones,DC=cqure,DC=net
|     namingContexts: DC=TAPI3Directory,DC=cqure,DC=net
|     defaultNamingContext: DC=cqure,DC=net
|     schemaNamingContext: CN=Schema,CN=Configuration,DC=cqure,DC=net
|     configurationNamingContext: CN=Configuration,DC=cqure,DC=net
|     rootDomainNamingContext: DC=cqure,DC=net
|     supportedControl: 1.2.840.113556.1.4.319
|     .
|     .
|     supportedControl: 1.2.840.113556.1.4.1948
|     supportedLDAPVersion: 3
|     supportedLDAPVersion: 2
|     supportedLDAPPolicies: MaxPoolThreads
|     supportedLDAPPolicies: MaxDatagramRecv
|     supportedLDAPPolicies: MaxReceiveBuffer
|     supportedLDAPPolicies: InitRecvTimeout
|     supportedLDAPPolicies: MaxConnections
|     supportedLDAPPolicies: MaxConnIdleTime
|     supportedLDAPPolicies: MaxPageSize
|     supportedLDAPPolicies: MaxQueryDuration
|     supportedLDAPPolicies: MaxTempTableSize
|     supportedLDAPPolicies: MaxResultSetSize
|     supportedLDAPPolicies: MaxNotificationPerConn
|     supportedLDAPPolicies: MaxValRange
|     highestCommittedUSN: 126991
|     supportedSASLMechanisms: GSSAPI
|     supportedSASLMechanisms: GSS-SPNEGO
|     supportedSASLMechanisms: EXTERNAL
|     supportedSASLMechanisms: DIGEST-MD5
|     dnsHostName: EDUSRV011.cqure.local
|     ldapServiceName: cqure.net:edusrv011$@CQURE.NET
|     serverName: CN=EDUSRV011,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=cqure,DC=net
|     supportedCapabilities: 1.2.840.113556.1.4.800
|     supportedCapabilities: 1.2.840.113556.1.4.1670
|     supportedCapabilities: 1.2.840.113556.1.4.1791
|     isSynchronized: TRUE
|     isGlobalCatalogReady: TRUE
|     domainFunctionality: 0
|     forestFunctionality: 0
|_    domainControllerFunctionality: 2

The root DSE object may contain a number of different attributes as described in RFC 2251 section 3.4:
* namingContexts: naming contexts held in the server
* subschemaSubentry: subschema entries (or subentries) known by this server
* altServer: alternative servers in case this one is later unavailable.
* supportedExtension: list of supported extended operations.
* supportedControl: list of supported controls.
* supportedSASLMechanisms: list of supported SASL security features.
* supportedLDAPVersion: LDAP versions implemented by the server.

The above example, which contains a lot more information is from Windows 2003 accessible without authentication.
The same request against OpenLDAP will result in significantly less information.

The ldap-search script queries the root DSE for the namingContexts and/or defaultNamingContexts, which it sets as base
if no base object was specified

Credit goes out to Martin Swende who provided me with the initial code that got me started writing this.



  • Patrik Karlsson

License: Same as Nmap--See https://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]