How can I query an LDAP server to see which groups I belong to?

Question

I am using ColdFusion 9.1.2.

I have about ten minutes experience using LDAP.

I am creating a login page for a web site. Each user logs in to the network via Active Directory. When they log in to their workstation and access my login page, a query should run to see if the user belongs to a specific group. If they belong to that group, they are automatically logged in. If not, they are shown "permission denied".

Assume that my username is BobJones and the group is NicePeople.

How can I determine who is currently logged and see if they belong to a specific group?

Answer 1

To check if a user is a member of specific group in AD you first need to know that group's DN. You should match the group name you have to the DN of that group. Since you are not specifying, I assume that NicePeople is actually the CN attribute of that group. To get the DN of that group use a LDAP filter like this (&(objectClass=group)(cn=NicePeople)) and request the distinguishedName attribute (or simply use the DN of the retrieved object if your library permits that).

Having the group's DN you need to check the user's memberOf attribute. You will need the user's DN (to make queries), unfortunately I do not know how to get the currently logged user.

The memberOf attribute contains a list of DNs of groups to which this user is member. However the user is a member of one additional group, which is not present in this list. That groups is called "Primary group". The primary groups is stored as integer id in primaryGroupId attribute of the user. That value is matched to primaryGroupToken attribute of the group.