Retrieving group membership in LDAP

Question

I am using a sample LDAP which is available online here.

I want to retrieve a user's group membership given their uid. In the example, Gauss (uid=gauss) is a member of the Mathematicians group (ou=mathematicians,dc=example,dc=com).

I tried several LDAP queries but I cannot seem to find the one that returns me the ou=mathematicians given the uid.

There are a lot of similar answers on SO but none seem to fit this very simple use case.

Thanks, David.

Answer 1

You won't be able to retrieve the group membership by simply using the uid as the groupmemberships are stored using the uniqueMember-attribute which requires a complete DN as value. Therefore you'll have to use a searchfilter like uniqueMember=uid=gauss,dc=example,dc=com.

You might think "that's great, so I just add uid=gauss to the baseDN and I'm finished". You might not always have luck with that as it's not defined that users have to be located right in the baseDN. They might be distributed acros the complete LDAP-tree and then it's going to be tough. But when you already have searched for the user (IE for binding) you got the DN back "for free" so you can use that on.

Hope that helps!

Answer 2

Not sure if I get right what you want to do, but retrieving group membership is done by a filter similar to this one:

(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=<<<USER-DN>>>))

I always pull the user dn with a seperate search:

(&(objectCategory=person)(objectClass=user)(samaccountname=<<<USER LOGON NAME>>>))

I don't know if uid, dn and samaccountname can be used in every filter interchangeable, but try it with uid=<<>> instead.

See this article for details : https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx