CODEWITHSUNDEEP
javasearchldapopenldapldap-query
Tharindu Bandara
Tharindu Bandara

Reputation: 106

How To Filter And Limit Attributes Of A Group Object In An LDAP

I want to get users of a group in an LDAP, with a given filter(Ex: uid="test*") and a limit(only 10 users in the results).

The group object looks like below.

cn=testRole,ou=Groups,dc=WSO2,dc=ORG

This object has multiple member attributes representing users of the role "testRole".

Now I'm using the following query to retrieve all the users in the group.

(&(objectClass=groupOfNames)(cn=testRole))

And member is set as the returned attribute.

When I run the query, all the 10000 users in the testRole are retrieved(as 10000 member attribute values).

Now,

  1. How do I limit the number of member attribute values?
  2. How do I filter member attribute values by applying a filter to the value of it's uid?

Thanks in advance!

I tried setting the returned attribute as member;range=0-99 but seems like it only works with AD, not with LDAP. I need a solution that would work with LDAP regardlessly it is an AD or not.

Upvotes: 1

Views: 1251

Answers (1)

EricLavault
EricLavault

Reputation: 16035

  1. I think it's not possible as is with openLDAP. An idea would be to setup the memberof overlay in the first place so you can grab user entries - not by querying the group and fetching all member attributes - but by directly querying users that are memberOf this group. In this situation, you would be able to paginate the results with the desired range. Not to mention that you will also be able to filter by a specific member eg. (&(memberOf=<groupDN>)(uid=<uid>)) (which I think is what you ask in 2-). See these links :

  2. You can use the following filter : 

    (&(objectClass=groupOfNames)(cn=testRole)(member=uid=<uid>,ou=people,dc=example,dc=com))

    But remember this query just grabs a groupOfNames entry with cn=testRole and containing a member with dn=..., adding the member filter here would just prevent the entry to match in case the member's <uid> does not exist, any matching uid would not change anything.

I think you can also keep the query as it is, iterating member attributes by range of x to y using java shouldn't be too hard, it all depends on what you need to do with it.

Upvotes: 1

Related Questions