How to find all the groups the user is a member? (LDAP) - McMap

About

How to find all the groups the user is a member? (LDAP)

Asked 24/10, 2016 at 18:37 Answered 24/10, 2016 at 19:5

Solved python ldap openldap

C

1

6

I am trying to get all the groups that a certain user is a member of.

I have the following structures in ldap:

o=myOrganization
     ou=unit1
         cn=admin
         cn=guess

and

ou=users
    cn=ann
    cn=bob
    cn=carla

myOrganization is an instance of Organization
unit1 is an instance of OrganizationUnit
admin and guess are both GroupOfNames and have everyone as a member
ann, bob, and carla are instances of Person

Currently, I am using the ldap module on python and this is what I have:

import ldap
l = ldap.initialize("ldap://my_host")
l.simple_bind_s("[my_dn]", "[my_pass]")
ldap_result = l.search("[BASE_DN]", ldap.SCOPE_SUBTREE, "(&(objectClass=Person)(cn=ann))", None)
res_type, data = l.result(ldap_result, 0)
print(data)

And I am able to get the user ann; but, how do I go about getting the groups Ann belongs to?

I tried, the following from this page:

search_filter='(|(&(objectClass=*)(member=cn=ann)))'
results = l.search_s([BASE_DN], ldap.SCOPE_SUBTREE, search_filter, ['cn',])

But I got an empty list. I also tried various combinations of queries, but they all return empty.

PS: I am using OpenLDAP on a linux machine

Caesarea answered 24/10, 2016 at 18:37 Comment(6)

I tried the following from this page... But had no success. How, exactly, was the listed query unsuccessful? Empty results? Error message? – Wirth 24/10, 2016 at 18:58

Also, are you only looking for groups in which ann is a direct member? (What if ann is a member of a group which is itself a member of another group?) – Wirth 24/10, 2016 at 19:0

Are you using Windows / Active Directory? If you are, I would suggest using the pyad package. I know that it's not particularly helpful to your exact question, but I've found pyad to be a much nicer interface than python-ldap. This would be as simple as user.get_membersOf() which also allows you to specify a scope and whether or not to include subgroups recursively. – Euhemerize 24/10, 2016 at 19:2

@JohnGordon I get an empty list when I run the query from the website, and I am only looking for direct members. I will update my question to make it clearer – Caesarea 24/10, 2016 at 19:4

@Euhemerize I am using openldap on a linux machine – Caesarea 24/10, 2016 at 19:4

I know you specify OpenLDAP, but in case it might help someone else as I struggle very long because of it... With Active Directory you need the distinguishedName all along to get the users with a given membership with such a search_filter... I ultimately find this Q&A that says the same : #6196312 – Bamby 31/1, 2018 at 1:13

W

5

member=cn=ann is not enough. You have to use ann's full DN, probably something like this:

member=cn=ann,ou=users,dc=company,dc=com

Wirth answered 24/10, 2016 at 19:5 Comment(1)

That worked!, another thing that I had to change was (objectClass=Person) to (objectClass=groupOfNames) – Caesarea 24/10, 2016 at 19:10

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.