Getting all members of a group and its subgroups - active-directory

I have groups as such:
GroupA
GroupB
Users
GroupG
Users
So the goal is to get all users that are members of parent group GroupA.
I have the following filter:
(&(objectCategory=Person)(objectClass=User)(mail=*MyEmailDomain.com)(memberOf=CN=GroupB,OU=MyOU3,OU=MyOU2,OU=MyOU1,DC=MyDomain,DC=LOCAL))
Which works for the lowest level groups.
From research, it seems that this should work, but doesn't:
(&(objectCategory=Person)(objectClass=User)(mail=*MyEmailDomain.com)(memberof:1.2.840.113556.1.4.1941:=(CN=GroupA,OU=MyOU3,OU=MyOU2,OU=MyOU1,DC=MyDomain,DC=LOCAL)))
If it matters, I'm using Active Directory Explorer to get the Distinguished Names, and the LDAP Input step in Pentaho's Data Integration tool (Kettle/PDI) to retrieve the data.

I love the fact that I always find the answer to my questions as soon as I post them somewhere. I need to learn to post much earlier and maybe I will spend less time searching :)
Found a random stackoverflow post that indicated there's an error in the msdn article for this and it has too many parenthesis.
This won't work:
(&(objectCategory=Person)(objectClass=User)(mail=*MyEmailDomain.com)(memberof:1.2.840.113556.1.4.1941:=(CN=GroupA,OU=MyOU3,OU=MyOU2,OU=MyOU1,DC=MyDomain,DC=LOCAL)))
But this DOES work:
(&(objectCategory=Person)(objectClass=User)(mail=*MyEmailDomain.com)(memberof:1.2.840.113556.1.4.1941:=CN=GroupA,OU=MyOU3,OU=MyOU2,OU=MyOU1,DC=MyDomain,DC=LOCAL))
(no parenthesis around the Distinguished Name)

Hi This does not fetch the users recursively. This is just giving the list of users of parent group only.
(&(objectCategory=Person)(objectClass=User)(mail=*MyEmailDomain.com)(memberof:1.2.840.113556.1.4.1941:=CN=GroupA,OU=MyOU3,OU=MyOU2,OU=MyOU1,DC=MyDomain,DC=LOCAL))

Related

LDAP query to get list of members in an AD group

I checked a few posts asked the similar questions before, but none works for my case, not sure if something wrong on my side or it's the AD.
So I have security group at path:
CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm,AD
And in the MigratedUsers group, there is a member property with a few AD users in the group.
I am trying to get the list of users, so I can iterate through them.
So in my base location I specified:
OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm
For the LDAP Filter I have:
(&(objectCategory=user)(memberOf=CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm))
The result returned 0 records.
I tried other combinations such as (&(objectCategory=group)(CN=MigratedUsers)), it doesn't work either.
So, could anyone point out to me if anything in my query is wrong or I need to start checking something else like AD settings etc.
Thank you.
Your first filter looks fine :
(&(objectCategory=user)(memberOf=CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm))
But the search base is not, (it's a group search base, while you want to retrieve user entries). The user base should look like this :
OU=Users,OU=National Organization,DC=abc,DC=firm
You're searching for users, but you set the base of the search to:
OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm
That tells it to only return users that are in the Azure Groups OU. I'm guessing that there are no users in that OU. Set the base of the search to the root of the domain (e.g. DC=abc,DC=firm), or just don't set it at all, since that will be the default.
Your first filter is the correct one (which has the full DN of the group).

LDAP query for Window AD

For authentication in Jitsi Meet, we would like to read out a Windows AD group with an ldap query. Unfortunately our ldap query does not work.
LDAP_URL=ldaps://server.domain.local:636/
LDAP_BASE=DC=domain,DC=local
LDAP_BINDDN=CN=bind_user,OU=Administrative Accounts,OU=Benutzer,DC=domain,DC=local
LDAP_BINDPW=*
LDAP_FILTER= (&(|objectclass=user))(|(memberof=CN=group,OU=Jitsi,OU=Sicherheit,OU=Gruppen,DC=domain,DC=local)
(primaryGroupID=4989))
The error must be due to the filter, it works with the filter LDAP_FILTER = (sAMAccountName =% u).
Can you tell me what is wrong with our query.
A few things stand out to me:
The | in front of objectClass should not be there.
You have two closing parentheses after the objectClass condition, but the second one should be moved to the end of the whole query.
Oddly, objectClass=user will actually end up including other objects than just user accounts (like computer accounts). If you want to filter to only user objects, you have to use both (objectClass=user)(objectCategory=person). But that would only matter if you have other types of objects as members of that group.
Maybe this is just an error with pasting into the question, but there is a line break before (primaryGroupID=
I've never used Jitsi, but it may or may not like the space after LDAP_FILTER=. The other examples I see online don't show a space there.
It should look like this:
LDAP_FILTER=(&(objectclass=user)(objectCategory=person)(|(memberof=CN=group,OU=Jitsi,OU=Sicherheit,OU=Gruppen,DC=domain,DC=local)(primaryGroupID=4989)))
That means: find all user objects that are either members of that group, or have a primary group ID of 4989.

unique x500 object id creation

I am trying to create a unique x500 object id for active directory to extend the schema.
I have been allocated a PEN as per here.
This number is only 5 digits longs. All the examples I have seen the OID is a lot longer. IE 1.2.840.113556.1.8000.999999
Any links or directions on this would be great.
For anyone else that was slightly lost with this, this is what I have found out.
I was missing the 1.3.6.1.4.1 at the beginning which is global as per the original link in the question.
My OID ended up being 1.3.6.1.4.1.52051.10000.1.1.1

Display all nested groups members of a specific group using LDAP?

I am looking for an LDAP query that would return all groups that are members of a certain LDAP/AD group, including all children.
Imagine this tree: A, A.1, A.2, A.1.1
I want to query A and get: 3 results: A.1, A.2, A.1.1
From my initial research it seems that is related to LDAP_MATCHING_RULE_IN_CHAIN from http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx but I wasn't able to figure out the proper syntax for performing the query.
Note: this is a Microsoft Active Directory so the solution doesn't have to be generic.
Not sure from your explanation what you are trying to accomplish, but One of these should work:
Resolves all members (including nested) security groups (requires at least Windows 2003 SP2)#
(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)
Or to retrieve only users:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)
-jim

Autocomplete Dropdown - too much data, timing out

So, I have an autocomplete dropdown with a list of townships. Initially I just had the 20 or so that we had in the database... but recently, we have noticed that some of our data lies in other counties... even other states. So, the answer to that was buy one of those databases with all towns in the US (yes, I know, geocoding is the answer but due to time constraints we are doing this until we have time for that feature).
So, when we had 20-25 towns the autocomplete worked stellarly... now that there are 80,000 it's not as easy.
As I type I am thinking that the best way to do this is default to this state, then there will be much less. I will add a state selector to the page that defaults to NJ then you can pick another state if need be, this will narrow down the list to < 1000. Though, I may have the same issue? Does anyone know of a work around for an autocomplete with a lot of data?
should I post teh codez of my webservice?
Are you trying to autocomplete after only 1 character is typed? Maybe wait until 2 or more...?
Also, can you just return the top 10 rows, or something?
Sounds like your application is suffocating on the amount of data being returned, and then attempted to be rendered by the browser.
I assume that your database has the proper indexes, and you don't have a performance problem there.
I would limit the results of your service to no more than say 100 results. Users will not look at any more than that any how.
I would also only being retrieving the data from the service once 2 or 3 characters are entered which will further reduce the scope of the query.
Good Luck!
Stupid question maybe, but... have you checked to make sure you have an index on the town name column? I wouldn't think 80K names should be stressing your database...
I think you're on the right track. Use a series of cascading inputs, State -> County -> Township where each succeeding one grabs the potential population based on the value of the preceding one. Each input would validate against its potential population to avoid spurious inputs. I would suggest caching the intermediate results and querying against them for the autocomplete instead of going all the way back to the database each time.
If you have control of the underlying SQL, you may want to try several "UNION" queries instead of one query with several "OR like" lines in its where clause.
Check out this article on optimizing SQL.
I'd just limit the SQL query with a TOP clause. I also like using a "less than" instead of a like:
select top 10 name from cities where #partialname < name order by name;
that "Ce" will give you "Cedar Grove" and "Cedar Knolls" but also "Chatham" & "Cherry Hill" so you always get ten.
In LINQ:
var q = (from c in db.Cities
where partialname < c.Name
orderby c.Name
select c.Name).Take(10);

Resources