Reputation: 83
LDAP query to retrieve users from a specific group
I am trying to write a query to extract the users from an LDAP group. I tried several queries to retrieve the users from a specific group but none of them seem to have worked until now. For example, these are the queries I tried so far. By the way our organization uses Radiant Logic for the LDAP.
(&(uid=*)(cn=groupofUniqueNames=Group_Name,ou=groups,o=trx))
(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=Group_Name,ou=groups,o=trx))
(&(objectclass=groupOfUniqueNames)(cn=Group_Name,ou=groups,o=trx))
(&(objectclass=groupOfUniqueNames)(cn=Group_Name,ou=users,o=trx))
(&(objectCategory=user)(memberOf=CN=Group_Name,ou=groups,o=trx))
(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=Group_Name,ou=groups,o=trx))
(&(objectCategory=group)(cn=Group_Name))
(&(objectClass=groupOfNames)(cn=Group_Name,ou=groups,o=trx))
(&(objectClass=inetOrgPerson)(memberOf=cn=Group_Name,ou=groups,o=trx))
(&(objectClass=user)(uid=johndoe)(memberof=CN=Group_Name,ou=groups,o=trx))
Upvotes: 1
Views: 1978
Answers (1)
Reputation: 16247
If you want to read member (or memberUid, memberDN) values from the LDAP entry representing the group, the most standard way would be to specify the group entry's DN as the search base DN parameter – not as part of the search filter. That is, the LDAP "search" operation would need these parameters:
- Base:
cn=Group_Name,ou=groups,o=trx - Scope:
BASE - Filter:
(objectClass=*) - Attributes: [
member]
Alternatively you could search for the entry's relative DN (RDN), which is cn=Group_Name, and hope that it is unique across the directory:
- Base:
o=trx - Scope:
SUBTREE - Filter:
(&(objectClass=groupOfNames)(cn=Group_Name))
(You should manually verify whether it's "groupOfNames" or "posixGroup" or something else.) - Attributes: [
member]
There is no universally supported way to match an entry's full DN using just the filter alone, although some servers implement that using operational attributes such as entryDN:
- Base:
o=trx - Scope:
SUBTREE - Filter – Active Directory:
(distinguishedName=cn=Group_Name,ou=groups,o=trx) - Filter – OpenLDAP:
(entryDN=cn=Group_Name,ou=groups,o=trx) - Attributes: [
member]
Finally, searching for user objects using memberOf= queries may or may not work depending on the server. Some LDAP servers do automatically maintain the inverse memberOf attributes on user objects; some do not; and in some it's a virtual attribute that can only be read but not matched.
- Base:
o=trx - Scope:
SUBTREE - Filter:
(memberOf=cn=Group_Name,ou=groups,o=trx)
Narrowing down by objectClass (standard) or objectCategory (AD-specific) is optional – use it if the group can contain other entries besides users and if you specifically want to ignore them. (Though usually a group can contain other nested groups and you want to chase them recursively, instead of ignoring them.)
Example:(&(objectClass=posixAccount)(memberOf=cn=Group_Name,ou=groups,o=trx)) - Attributes: (whatever you need)
Upvotes: 1
Related Questions
- LDAP Query to check if user exists in a group or subgroup
- LDAP query to get the list of users which are matching the group pattern
- ldap find object by group member
- LDAP: Get list of users in a specific group
- ldap query for group members
- How to search for users of a group in ldapsearch?
- LDAP query to retrieve members of a group
- Spring Security Ldap, log in only users in specified group
- Get the groups of a user
- Get all members in a group on Ldap