Listing group members using ldapsearch

Our corporate LDAP directory is housed on a Snow Leopard Server Open Directory setup. I'm trying to use the ldapsearch tool to export an .ldif file to import into another external LDAP server to authenticate with externally; basically trying to be able to use the same credentials internally and externally.

I've got ldapsearch working and giving me the contents and attributes of everything in the "Users" OU, and even filtering down to only the attributes I need:

ldapsearch -xLLL -H ldap://server.domain.net / 
 -b "cn=users,dc=server,dc=domain,dc=net" objectClass / 
 uid uidNumber cn userPassword > directorycontents.ldif

That gives me a list of users and properties that I can import to my remote OpenLDAP server.

dn: uid=username1,cn=users,dc=server,dc=domain,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
uidNumber: 1000
uid: username1
userPassword:: (hashedpassword)
cn: username1

However, when I try the same query on an OD "group" instead of a "container," the results are something like this:

dn: cn=groupname,cn=groups,dc=server,dc=domain,dc=net
objectClass: posixGroup
objectClass: apple-group
objectClass: extensibleObject
objectClass: top
gidNumber: 1032
cn: groupname
memberUid: username1
memberUid: username2
memberUid: username3

What I really want is a list of users from the top example filtered based on their group memberships, but it looks like membership is set from the Group side, rather than the user account side. There must be a way to filter this down and only export what I need, right?


Solution 1:

I work with LDAP, but not that specific brand of server.

First thing I'd try is a search on users pulling all of their attributes instead of restricting it the way your example does.

ldapsearch -xLLL -H ldap://server.domain.net \
    -b "cn=users,dc=server,dc=domain,dc=net" uid=username1 \* +

Often there's a "memberOf" attribute on the user that lists the group name or group DN for groups that a user is in, kept in sync with the information in the group. If that's there, that is the easiest way to do what you want.

The * will grab all user attributes (the default behavior) and the + will grab all operational attributes (special attributes).

Solution 2:

ldapsearch -x \
-b "cn=<your group name>,ou=group,dc=<your org>,dc=com" \
-H ldaps://<ldap server>:<port>

This works very well.