how to get groups of a user in ldap

S

5

8

i am using openldap with phpldapadmin, and i'm trying to check what are the groups of a certain user. this is my scheme ...

this is what i tried, but it didn't work

docker-compose exec openldap ldapsearch -x -H "ldap://openldap" -D "cn=admin,dc=openldap" -w admin -b "cn=root,ou=django,dc=openldap" '(&(objectClass=*)(member=cn=superuser,ou=groups,dc=openldap))'

PS: i'm new to ldap, this is the image i'm using

Sixfooter answered 14/7, 2018 at 17:47 Comment(0)

S

11

There are tons of literature on LDAP and queries, that explain how to search for groups, with examples.

First the baseDN (-b) should be the top of your hierarchy: dc=openldap.

Second, you're searching from groups, so the filter should include (objectclass=groupOfNames)

Finally, you're searching for the groups a user is member of, and the filter should be (member=cn=root,ou=django,dc=openldap)

The resulting query is then:

ldapsearch -x -H "ldap://openldap" -D "cn=admin,dc=openldap" -w admin -b "dc=openldap" '(&(objectClass=groupOfNames)(member=cn=root,ou=django,dc=openldap))'

This will return the group entries. If you are only interested in the name, add dn at the end of the query.

Schoolhouse answered 20/7, 2018 at 9:19 Comment(4)

groups is an ou that i greated .. why should i add this ? objectclass=groupOfNames – Sixfooter 21/7, 2018 at 9:44

If you search under ou=groups, with a subtree scope, for all entries, the ou=groups entry will be returned. If you just want the groups, you need to specify a proper filter such as (objectclass=groupOfNames) (or whatever objectClass value used for your groups). – Schoolhouse 5/4, 2019 at 8:52

Could you link to some decent literature on LDAP and queries – Headroom 5/8, 2021 at 8:45

The bible is and remains "Understanding and Deploying LDAP Directory Services, 2nd Edition" by Tim Howes, Mark Smith and Gordon Good. It's old but still relevent – Schoolhouse 20/9, 2021 at 5:46

D

6

To get groups of user for user1 this search filter should be enough:

(&(memberUid=user1))

However note that group search attrribute may be different based on open ldap configuration. It can be member, uniqueMember, memberUid etc

Disinter answered 3/5, 2020 at 21:0 Comment(1)

memberUid is an attribute of the posixGroup. Not all groups are posixGroup. But with posixGroup, the suggested filter is the simplest one. – Schoolhouse 25/5, 2023 at 16:24

I

3

Not sure why the accepted answer does not work for me. And the command works for me is:

ldapsearch -H "ldap://$server" -x -D "$user" -w "xxxx" -b "baseDN"  "(cn=notMe)" memberof

Iggy answered 18/11, 2021 at 8:23 Comment(1)

replace the notMe with your own info. – Iggy 18/11, 2021 at 8:24

W

0

Other variants of LDAP may require you to use:-b ou=Group,dc=example,dc=com

ldapsearch -h ldap -D cn=admin,dc=example,dc=com -x -w password -b ou=Group,dc=example,dc=com -s sub '(&(objectClass=groupOFNames)(memberuid=user1))' DN

Windbreak answered 21/1, 2021 at 14:6 Comment(1)

Please have a read of this help page about how to format code properly. – Mischance 23/1, 2021 at 3:44

H

0

In our LDAP, instead of groupOfNames/member I had to use groupOfUniqueNames/uniqueMember. The query is then:

ldapsearch -x -H "ldap://openldap" -D "cn=admin,dc=openldap" -w admin -b "dc=openldap" '(&(objectClass=groupOfUniqueNames)(uniqueMember=cn=root,ou=django,dc=openldap))'

Harpole answered 13/6, 2023 at 10:17 Comment(0)

Recommended topics

Hot tags