Develop Reference

LDAP query to get list of members in an AD group

I checked a few posts asked the similar questions before, but none works for my case, not sure if something wrong on my side or it's the AD.
So I have security group at path:
CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm,AD
And in the MigratedUsers group, there is a member property with a few AD users in the group.
I am trying to get the list of users, so I can iterate through them.
So in my base location I specified:
OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm
For the LDAP Filter I have:
(&(objectCategory=user)(memberOf=CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm))
The result returned 0 records.
I tried other combinations such as (&(objectCategory=group)(CN=MigratedUsers)), it doesn't work either.
So, could anyone point out to me if anything in my query is wrong or I need to start checking something else like AD settings etc.
Thank you.

Your first filter looks fine :
(&(objectCategory=user)(memberOf=CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm))
But the search base is not, (it's a group search base, while you want to retrieve user entries). The user base should look like this :
OU=Users,OU=National Organization,DC=abc,DC=firm

You're searching for users, but you set the base of the search to:
OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm
That tells it to only return users that are in the Azure Groups OU. I'm guessing that there are no users in that OU. Set the base of the search to the root of the domain (e.g. DC=abc,DC=firm), or just don't set it at all, since that will be the default.
Your first filter is the correct one (which has the full DN of the group).

How to query for users where one set is deeper in the tree than the other

Let's say you have two sets of users:
OU=IT Dept,OU=Groups,DC=mycompany,DC=com
OU=XYZ Corp,OU=Temp Accounts,OU=Groups,DC=mycompany,DC=com
How would you express the query for that? I tried a search base of OU=Groups,DC=mycompany,DC=com and a filter of (|(OU=IT Dept)(OU=XYZ Corp,OU=Temp Accounts)) and that didn't work.
Never had to do much with LDAP, so please excuse the somewhat open-ended question.

Let's say you have two sets of users:
OU=IT Dept,OU=Groups,DC=mycompany,DC=com
OU=XYZ Corp,OU=Temp Accounts,OU=Groups,DC=mycompany,DC=com
These are not the valid distinguishedName for user objects.
User objects are stored in some parent container (like OUs), and their distinguishedName starts with CN. OUs are top level containers which contain child objects like users, computers, child OUs, etc.
I tried a search base of OU=Groups,DC=mycompany,DC=com and a filter of
(|(OU=IT Dept)(OU=XYZ Corp,OU=Temp Accounts)) and that didn't work.
Your filter didn't work because you didn't select the appropriate filtering conditions. You need to apply the filter for (objectCategory=person) or (objectCategory=user). You can also use objectClass as the filtering parameter instead of objectCategory. Check the link Filter on objectCategory and objectClass to know in detail.
How would you express the query for that?
Assuming your users are as below:
CN=Firstname lastname,OU=IT Dept,OU=Groups,DC=mycompany,DC=com
CN=Firstname lastname,OU=XYZ Corp,OU=Temp Accounts,OU=Groups,DC=mycompany,DC=com
Then your LDAP query should have SearchBase set to what you currently have (OU=Groups,DC=mycompany,DC=com), and filter on (|(objectCategory=person)(objectCategory=user)) and any additional filter if you'd like, e.g., you may want to search by sAMAccountName, name, etc.
As highlighted in the second para, you can also use objectClass as the filter type to get the desired result.

How to filter null or empty attributes from an Active Directory Query

I am working with a customers Active Directory which has a lot of cruft in it. There are hundreds of Users with empty givenName and sn attributes. I would like to filter any records that have an empty sn or an empty givenName from my query results as those records cannot be processed by my application.
This works as per my requirements but I believe there must be a better way to do it:
(&(objectClass=User)(|(!(!(sn=*))))(!(!(givenName=*)))))
Is there a more clear and concise way to accomplish this with an ldap query?

sn and givenName have as their superior the name attribute, which is of DirectoryString syntax, that is, the syntax is 1.3.6.1.4.1.1466.115.121.1.15. Attributes which are of syntax DirectoryString are not allowed to be null, that is, a DirectoryString is required to have at least one character.
The filter sn=* is a present filter (not a substring or regular expression), meaning that the entry would be filtered out of the possible search results if the sn attribute is not present (if it is present, it must have at least one character). Same for givenName=*.
A simpler filter might be '(&)', where the search request contains the following in its list of attributes to be returned: #User, which will return all attributes in the User objectClass for each entry that matches the filter, then have the application extract the sn and givenName attributes from each entry that is returned. If the number of entries returned is large, use the Simple Paged Results Request Control to throttle the number of entries returned to a more manageable value.
Or ... it might be that Active Directory is not LDAP compliant and does not support the inetOrgPerson objectClass and syntaxes of attributes therein correctly and does allow empty or null attributes values for DirectoryString attributes, though I can't imagine Microsoft would deliver a product that is not LDAP compliant.
see also
LDAP Programming Practices
RFC 4519

(!(!(givenName=*))) = (!givenName=*)
https://technet.microsoft.com/en-us/library/ee198810.aspx

LDAP nested group filter for microsoft AD

I would like to write a search filter which would help me retrieve all groups which a user is part of.
For instance:
Say I am retrieving entries for user A (which is part of group A). And group A may be part of group B and group D which in turn may be part of group E.
Now, my search filter should return me MemberOf attribute as all possible groups which user A is part of (in this specific case it is Group A, B, D, E).
Any pointers on how the search filter can look like?

This should do what you are asking about. It will return the FDN of each group the user is a memberOf, however, this queries the group, not the user.
As an example, to find all the groups that "CN=John Smith,DC=MyDomain,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.
(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))
-jim

There is an attribute called tokenGroups in user object. It's a constructed attributes calculated by Active Directory on the runtime. It includes all the groups the user object belong to.
Make sure your domain has a Global Catalog and make sure the account that you are using Pre-Windows 2000 Compatible Access group. Then, make sure tokenGroups is specified as one of the returned property. Do a base scope search on the user object.

You can use adfind.exe (joeware) to sort out this issue and to utilize standard ldap filters that are described here. For example:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
Group nesting is specified to be like this:
(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)
and if you use adfind, then it would look like this:
adfind -f "(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)" samaccountname -list
If you want to have output other than samaccountname, for example displayname, or mail attribute, just add to the list. Also if you want to search multiple users, then you might want to have inputfile containing all users and some script to extract each lines to adfind for example.

single line LDAP query that enumerates users from a group within a supergroup

I have a scheme that looks like this:
Users exist like UserA, UserB, UserC.
Groups exist like OverGroup, SubGroup.
OverGroup automatically adds new users like UserA, UserB, etc. to its membership.
SubGroup I created myself. I have set OverGroup to be a member of SubGroup.
I want to be able to one-line query SubGroup and retrieve not OverGroup, i.e.:
Values:
CN=OverGroup,OU=Groups,DC=example,DC=com
but the full enumeration of the actual Users (User A, B, C) within OverGroup, i.e.:
Values:
CN=UserA,OU=OtherOU,DC=example,DC=com
CN=UserB,OU=OtherOU,DC=example,DC=com
CN=UserC,OU=OtherOU,DC=example,DC=com
Is there a one-liner LDAP filter that could retrieve this? (It will be put into the ExternalAuth configuration 'ldap' section in a Request Tracker instance. Pretty sure I can only do this with one query the ExternalAuth module can understand.)
Everything I try does not work, and from my reading, it does not seem possible to enumerate a list of users within a group that is a member of another group with any one-line query. Thoughts?

Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. The capability is described here.
Here is an example of how to retrieve all users in a group, including nested groups:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))
where {0} is the DN of the parent group.

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=MPV_BedPlacement,OU=Security Groups,OU=Groups,OU=CCHCS,DC=CCHCS,DC=LDAP))
You have to add the full DN for the group and no curly braces.