How can I use a a search filter to display users of a specific group?
I've tried the following:
(&
(objectCategory=user)
(memberOf=MyCustomGroup)
)
and this:
(&
(objectCategory=user)
(memberOf=cn=SingleSignOn,ou=Groups,dc=tis,dc=eg,dc=ddd,DC=com)
)
but neither display users of a specific group.
memberOf (in AD) is stored as a list of distinguishedNames. Your filter needs to be something like:
(&(objectCategory=user)(memberOf=cn=MyCustomGroup,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com))
If you don't yet have the distinguished name, you can search for it with:
(&(objectCategory=group)(cn=myCustomGroup))
and return the attribute distinguishedName. Case may matter.
For Active Directory users, an alternative way to do this would be -- assuming all your groups are stored in OU=Groups,DC=CorpDir,DC=QA,DC=CorpName -- to use the query (&(objectCategory=group)(CN=GroupCN)). This will work well for all groups with less than 1500 members. If you want to list all members of a large AD group, the same query will work, but you'll have to use ranged retrieval to fetch all the members, 1500 records at a time.
The key to performing ranged retrievals is to specify the range in the attributes using this syntax: attribute;range=low-high. So to fetch all members of an AD Group with 3000 members, first run the above query asking for the member;range=0-1499 attribute to be returned, then for the member;range=1500-2999 attribute.
If the DC is Win2k3 SP2 or above, you can use something like:
(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com))
to get the nested group membership.
Source: https://ldapwiki.com/wiki/Active%20Directory%20Group%20Related%20Searches
And the more complex query if you need to search in a several groups:
(&(objectCategory=user)(|(memberOf=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf=CN=GroupTwo,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf=CN=GroupThree,OU=Security Groups,OU=Groups,DC=example,DC=com)))
The same example with recursion:
(&(objectCategory=user)(|(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupTwo,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupThree,OU=Security Groups,OU=Groups,DC=example,DC=com)))
Related
Let's say you have two sets of users:
OU=IT Dept,OU=Groups,DC=mycompany,DC=com
OU=XYZ Corp,OU=Temp Accounts,OU=Groups,DC=mycompany,DC=com
How would you express the query for that? I tried a search base of OU=Groups,DC=mycompany,DC=com and a filter of (|(OU=IT Dept)(OU=XYZ Corp,OU=Temp Accounts)) and that didn't work.
Never had to do much with LDAP, so please excuse the somewhat open-ended question.
Let's say you have two sets of users:
OU=IT Dept,OU=Groups,DC=mycompany,DC=com
OU=XYZ Corp,OU=Temp Accounts,OU=Groups,DC=mycompany,DC=com
These are not the valid distinguishedName for user objects.
User objects are stored in some parent container (like OUs), and their distinguishedName starts with CN. OUs are top level containers which contain child objects like users, computers, child OUs, etc.
I tried a search base of OU=Groups,DC=mycompany,DC=com and a filter of
(|(OU=IT Dept)(OU=XYZ Corp,OU=Temp Accounts)) and that didn't work.
Your filter didn't work because you didn't select the appropriate filtering conditions. You need to apply the filter for (objectCategory=person) or (objectCategory=user). You can also use objectClass as the filtering parameter instead of objectCategory. Check the link Filter on objectCategory and objectClass to know in detail.
How would you express the query for that?
Assuming your users are as below:
CN=Firstname lastname,OU=IT Dept,OU=Groups,DC=mycompany,DC=com
CN=Firstname lastname,OU=XYZ Corp,OU=Temp Accounts,OU=Groups,DC=mycompany,DC=com
Then your LDAP query should have SearchBase set to what you currently have (OU=Groups,DC=mycompany,DC=com), and filter on (|(objectCategory=person)(objectCategory=user)) and any additional filter if you'd like, e.g., you may want to search by sAMAccountName, name, etc.
As highlighted in the second para, you can also use objectClass as the filter type to get the desired result.
I try to get all users "memberOf" all groups begining with "JE_"
I know that I cannot do the following:
memberOf=CN=JE*,OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net
But all the JE_* are located under a knot called "JE". Is it possible to get all users memberOf the groups located under the knot "JE"?
yes but you need to approach the problem differently. Rather than search against the user object you should search against teh group object with the user's DN.
For example, consider the user
cn=dave,OU=user,DC=subd,DC=dom,DC=net
The user is a member of several JE* groups.
CN=JE_1,OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net
CN=JE_2,OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net
CN=JE_3,OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net
In order to find the JE* groups to which the user belongs search for groups with a base of OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net and a search filter of
(&(objectclass=group)(member=cn=dave,OU=user,DC=subd,DC=dom,DC=net))
That will return all of the JE* group objects that contain the user in question. Ensure to specify that you only want the group name returned as an attribute otherwise all of the members will be returned too. Not a problem if there are only a handful but it might be a nuisance if there are thousands.
I am looking for an LDAP query that would return all groups that are members of a certain LDAP/AD group, including all children.
Imagine this tree: A, A.1, A.2, A.1.1
I want to query A and get: 3 results: A.1, A.2, A.1.1
From my initial research it seems that is related to LDAP_MATCHING_RULE_IN_CHAIN from http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx but I wasn't able to figure out the proper syntax for performing the query.
Note: this is a Microsoft Active Directory so the solution doesn't have to be generic.
Not sure from your explanation what you are trying to accomplish, but One of these should work:
Resolves all members (including nested) security groups (requires at least Windows 2003 SP2)#
(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)
Or to retrieve only users:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)
-jim
I would like to write a search filter which would help me retrieve all groups which a user is part of.
For instance:
Say I am retrieving entries for user A (which is part of group A). And group A may be part of group B and group D which in turn may be part of group E.
Now, my search filter should return me MemberOf attribute as all possible groups which user A is part of (in this specific case it is Group A, B, D, E).
Any pointers on how the search filter can look like?
This should do what you are asking about. It will return the FDN of each group the user is a memberOf, however, this queries the group, not the user.
As an example, to find all the groups that "CN=John Smith,DC=MyDomain,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.
(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))
-jim
There is an attribute called tokenGroups in user object. It's a constructed attributes calculated by Active Directory on the runtime. It includes all the groups the user object belong to.
Make sure your domain has a Global Catalog and make sure the account that you are using Pre-Windows 2000 Compatible Access group. Then, make sure tokenGroups is specified as one of the returned property. Do a base scope search on the user object.
You can use adfind.exe (joeware) to sort out this issue and to utilize standard ldap filters that are described here. For example:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
Group nesting is specified to be like this:
(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)
and if you use adfind, then it would look like this:
adfind -f "(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)" samaccountname -list
If you want to have output other than samaccountname, for example displayname, or mail attribute, just add to the list. Also if you want to search multiple users, then you might want to have inputfile containing all users and some script to extract each lines to adfind for example.
I have a scheme that looks like this:
Users exist like UserA, UserB, UserC.
Groups exist like OverGroup, SubGroup.
OverGroup automatically adds new users like UserA, UserB, etc. to its membership.
SubGroup I created myself. I have set OverGroup to be a member of SubGroup.
I want to be able to one-line query SubGroup and retrieve not OverGroup, i.e.:
Values:
CN=OverGroup,OU=Groups,DC=example,DC=com
but the full enumeration of the actual Users (User A, B, C) within OverGroup, i.e.:
Values:
CN=UserA,OU=OtherOU,DC=example,DC=com
CN=UserB,OU=OtherOU,DC=example,DC=com
CN=UserC,OU=OtherOU,DC=example,DC=com
Is there a one-liner LDAP filter that could retrieve this? (It will be put into the ExternalAuth configuration 'ldap' section in a Request Tracker instance. Pretty sure I can only do this with one query the ExternalAuth module can understand.)
Everything I try does not work, and from my reading, it does not seem possible to enumerate a list of users within a group that is a member of another group with any one-line query. Thoughts?
Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. The capability is described here.
Here is an example of how to retrieve all users in a group, including nested groups:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))
where {0} is the DN of the parent group.
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=MPV_BedPlacement,OU=Security Groups,OU=Groups,OU=CCHCS,DC=CCHCS,DC=LDAP))
You have to add the full DN for the group and no curly braces.