I am trying create a security group in LDAP server using unbounded-ldap-sdk but whenever I am trying to query the group with below filter, it is not returning the group.
Filter: (&(groupType:1.2.840.113556.1.4.803:=2147483648)(cn=test_group*))
The group is:
dn: CN=bpa,DC=developer,DC=tester,DC=example,DC=com
objectClass: group
groupType: -2147483646
instanceType: 4
objectClass: top
objectCategory: Group
cn: test_group
distinguishedName: CN=bpa,DC=developer,DC=tester,DC=example,DC=com
description: test group for testing
name: test_group
Code to query the server:
javax.naming.directory.SearchControls searchControls = new javax.naming.directory.SearchControls();
searchControls.setReturningAttributes({'name', 'cn'});
searchControls.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE);
DirContext.search("DC=developer,DC=tester,DC=example,DC=com", filter, searchControls);
Could you please help me to find out the problem?
Well, it is complicated. Microsoft Active Directory classifies Groups in several different methods.
GroupType is a bitmask attribute.
The group type in your entry is groupType: -2147483646 which is a Global Security Group.
I see nothing wrong with your LDAP filter or the group. However, you do not show the baseDN of the group search or if you are querying the Global Catalog. You could have an issue with LDAP referrals being returned.
Please always Tell us what you have tried and show logs or results and Read:
https://stackoverflow.com/help/how-to-ask
Related
I'm really bad at LDAP so I don't really know where to start.
Is it possible to make a new distrubution or security group with users from another group that has a specific Title? There are too many users to add them manually.
It would be helpful to know how you want to interact with AD -- writing a program (language?) or using an LDAP client (which one?). I'll provide info on using ldifde.exe from the remote server administration tools. To get a list of DNs that are in another group and have a specific title, use a filter with the title and membership requirement
ldifde -f output.txt -r "(&(title=Desired Title)(memberOf=cn=GroupName,ou=Groups,dc=example,dc=com))" -l "NULL"
This returns user records that are direct members of the specified group (you'll need the fully qualified LDAP DN of the group, wildcards are not supported for memberOf -- the example is a group named "GroupName" in an OU called "Groups" at the root of the example.com AD).
Then you need to create a new group with the identified user DNs as members. The output.txt file will have a lot of lines that say "changetype: add\n\n" ... get rid of those so you've just got DNs. Change the "dn: " to "member: ". Prepend the following information to the list of group members to create an LDIF file to create a new global security group:
dn: CN=GroupName,OU=Groups,dc=example,dc=com
changetype: add
objectClass: group
cn: GroupName
distinguishedName: CN=GroupName,OU=Groups,dc=example,dc=com
instanceType: 4
name: GroupName
sAMAccountName: GroupName
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,dc=example,dc=com
member: CN=Person1,OU=ResourceUsers,dc=example,dc=com
member: CN=Person2,OU=ResourceUsers,dc=example,dc=com
member: CN=Person3,OU=ResourceUsers,dc=example,dc=com
member: CN=Person4,OU=ResourceUsers,dc=example,dc=com
member: CN=Person5,OU=ResourceUsers,dc=example,dc=com
Import the LDIF file using:
ldifde -i -v -k -y -f output.txt
The group will be created & populated with the accounts listed in the "member" attribute.
This doesn't do anything if you add a new person to the first group with the desired title -- this is a one-time snapshot. You can easily identify people who should be added/removed from the second group
Need to be added -- anyone with desired title who is a member of SourceGroupName but not a member of CreatedGroupName:
(&(title=Desired Title)(memberOf=cn=SourceGroupName,ou=Groups,dc=example,dc=com)(!(memberOf=cn=CreatedGroupName,ou=Groups,dc=example,dc=com)))
Need to be removed -- anyone who is a member of CreatedGroupName who is not a member of SourceGroupName or does not have the desired title.
(&(memberOf=cn=CreatedGroupName,ou=Groups,dc=example,dc=com)(|(!(title=Desired Title))(!(memberOf=cn=SourceGroupName,ou=Groups,dc=example,dc=com))))
Add/remove members from the new group as individuals match one of these two filters.
Currently I can do this in powershell via this script:
Search-ADAccount –LockedOut -SearchBase 'OU=location,OU=country,DC=company,DC=com' | ft Name, SamAccountName, LastLogonDate
I would rather have it in a LDAP saved query, I found this one to display all locked out accounts in the company:
(&(&(ObjectCategory=Person)(ObjectClass=User)(LockoutTime>=1)))
I have tried a number of combinations, but I can't seem to get it right. Here is one of them:
(&(&(ObjectCategory=Person)(ObjectClass=User)(memberof=OU=location,OU=country,DC=company,DC=com)(LockoutTime>=1)))
What am I doing wrong?
As information, when you create a new query, you have the option of specifying the "query root"... by drilling down with that, I was able to achieve the desired goal. I didn't have to modify the query string at all.
To retrieve groups belonging to all users I am using following filter:
(&(objectclass=*)(member:1.2.840.113556.1.4.1941:=cn=sam,DC=aaaldap,DC=com))
And, i am able to retrieve multiple DN entries like:
1. GOT ENTRY: DN => CN=group1,CN=Users,DC=aaaldap,DC=com
LDAP: Attribute Length Valueldap_get_dn
1d21h: LDAP: cn 6 group1
2. LDAP: GOT ENTRY: DN => CN=group2,CN=Users,DC=aaaldap,DC=com
LDAP: Attribute Length Valueldap_get_dn
1d21h: LDAP: cn 6 group2
All i am interested is in group membership, so i want to parse the attribute CN received in the entry and would like to assume this as a group.
Can someone suggest if this will be a valid assumption of parsing CN attribute and mark its value as "group" membership to which it belongs to?
You should specify a real objectClass instead of just *, to limit the search to whatever object class you are using for groups. Then anything you get back must be a group. The search may also run faster.
We have an LDAP login problem of a specific user and I'm suspecting that this is due to cyclic groups assignment in LDAP, i.e. the user is assigned to groups A,B,C,D. Group A contains sub-groups E,F,G and group E contains group A again.
If I query for the user I can see that he has been assigned with 50+ groups and each group may contain more groups and each of those may contain more....
My question is if there's a query I can run to get the nested groups inside those main groups all the way down instead of going each group and do it manually?
The server is AD
To find all the groups that "user1" is a member of (adaptation of this answer see AD search filter):
Set the base to the groups container DN; for example root DN (dc=dom,dc=fr)
Set the scope to subtree
Use the following filter : (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
Example with LDIFDE.EXE (native command line AD search on windows) :
ldifde -f t.txt -d "DC=dom,DC=fr" -r "(member:1.2.840.113556.1.4.1941:=CN=jblanc,OU=MonOu,DC=dom,DC=fr)"
Remark : as far as I remember there is a small syntax difference with in brackets user DN name. '1.2.840.113556.1.4.1941' is not working in W2K3 SP1, it begins to work with SP2. I presume it's the same with W2K3 R2. I test here with W2K8R2.
With Apache Directory Studio :
Result :
I need to check whether a group given by name is a security group in AD using C# code.
I notice there's a property named "groupType" in groups properties, but I don't know what this property is used for. I checked several groups and find its value can be null, 8 or -2147483646. Is it associated with the security group type?
I also find in the distinguishedName of the group, there can be "OU=Security Group" or "OU=Secuity Group with Mail Lists" blabla. Can it be a criteria to determine security group type?
Thanks in advance.
From http://adsearch-winzero.blogspot.com/2006/04/object-group-attribute-grouptype.html
The groupType attribute returns the type of group. However the returned value is in RAW format.
...
-2147483646 ~ Global Security Group
-2147483644 ~ Local Security Group
-2147483643 ~ BuiltIn Group
-2147483640 ~ Universal Security Group
2 ~ Global Distribution Group
4 ~ Local Distribution Group
8 ~ Universal Distribution Group
You can use "Security Group" as a query condition. But it's not so trustful based on how your company set up it. It's better to have a OU entry for all security groups and use that entry directly.
With all due to respect to Matt, the better answer should come from Microsoft:
https://msdn.microsoft.com/en-us/library/ms675935(v=vs.85).aspx
The values are the same, but should still come from the creator. The * security group is derived from adding the security group value of -2147483648 to the * distribution group value.
https://blogs.technet.microsoft.com/heyscriptingguy/2004/12/21/how-can-i-tell-whether-a-group-is-a-security-group-or-a-distribution-group/