How to write LDAP query to test if user is member of a group?
I want to write an LDAP query which tests whether a user (sAMAccountName) is a member of a particular group. Is it possible to do that so that I get either 0 or 1 result records?
I guess I can get all groups for the user and test each one for a match but I was wondering if I could pack it into one LDAP expression.
Any ideas?
Thanks
Solution 1:
You should be able to create a query with this filter here:
(&(objectClass=user)(sAMAccountName=yourUserName)
(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))
and when you run that against your LDAP server, if you get a result, your user "yourUserName" is indeed a member of the group "CN=YourGroup,OU=Users,DC=YourDomain,DC=com
Try and see if this works!
If you use C# / VB.Net and System.DirectoryServices, this snippet should do the trick:
DirectoryEntry rootEntry = new DirectoryEntry("LDAP://dc=yourcompany,dc=com");
DirectorySearcher srch = new DirectorySearcher(rootEntry);
srch.SearchScope = SearchScope.Subtree;
srch.Filter = "(&(objectClass=user)(sAMAccountName=yourusername)(memberOf=CN=yourgroup,OU=yourOU,DC=yourcompany,DC=com))";
SearchResultCollection res = srch.FindAll();
if(res == null || res.Count <= 0) {
Console.WriteLine("This user is *NOT* member of that group");
} else {
Console.WriteLine("This user is INDEED a member of that group");
}
Word of caution: this will only test for immediate group memberships, and it will not test for membership in what is called the "primary group" (usually "cn=Users") in your domain. It does not handle nested memberships, e.g. User A is member of Group A which is member of Group B - that fact that User A is really a member of Group B as well doesn't get reflected here.
Marc
Solution 2:
If you are using OpenLDAP (i.e. slapd) which is common on Linux servers, then you must enable the memberof overlay to be able to match against a filter using the (memberOf=XXX) attribute.
Also, once you enable the overlay, it does not update the memberOf attributes for existing groups (you will need to delete out the existing groups and add them back in again). If you enabled the overlay to start with, when the database was empty then you should be OK.
Solution 3:
I would add one more thing to Marc's answer: The memberOf attribute can't contain wildcards, so you can't say something like "memberof=CN=SPS*", and expect it to find all groups that start with "SPS".
Solution 4:
You must set your query base to the DN of the user in question, then set your filter to the DN of the group you're wondering if they're a member of. To see if jdoe is a member of the office group then your query will look something like this:
ldapsearch -x -D "ldap_user" -w "user_passwd" -b "cn=jdoe,dc=example,dc=local" -h ldap_host '(memberof=cn=officegroup,dc=example,dc=local)'
If you want to see ALL the groups he's a member of, just request only the 'memberof' attribute in your search, like this:
ldapsearch -x -D "ldap_user" -w "user_passwd" -b "cn=jdoe,dc=example,dc=local" -h ldap_host **memberof**