LDAP query to retrieve users from a specific group - ldap

I am trying to write a query to extract the users from an LDAP group. I tried several queries to retrieve the users from a specific group but none of them seem to have worked until now. For example, these are the queries I tried so far. By the way our organization uses Radiant Logic for the LDAP.
(&(uid=*)(cn=groupofUniqueNames=Group_Name,ou=groups,o=trx))
(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=Group_Name,ou=groups,o=trx))
(&(objectclass=groupOfUniqueNames)(cn=Group_Name,ou=groups,o=trx))
(&(objectclass=groupOfUniqueNames)(cn=Group_Name,ou=users,o=trx))
(&(objectCategory=user)(memberOf=CN=Group_Name,ou=groups,o=trx))
(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=Group_Name,ou=groups,o=trx))
(&(objectCategory=group)(cn=Group_Name))
(&(objectClass=groupOfNames)(cn=Group_Name,ou=groups,o=trx))
(&(objectClass=inetOrgPerson)(memberOf=cn=Group_Name,ou=groups,o=trx))
(&(objectClass=user)(uid=johndoe)(memberof=CN=Group_Name,ou=groups,o=trx))

If you want to read member (or memberUid, memberDN) values from the LDAP entry representing the group, the most standard way would be to specify the group entry's DN as the search base DN parameter – not as part of the search filter. That is, the LDAP "search" operation would need these parameters:
Base: cn=Group_Name,ou=groups,o=trx
Scope: BASE
Filter: (objectClass=*)
Attributes: [member]
Alternatively you could search for the entry's relative DN (RDN), which is cn=Group_Name, and hope that it is unique across the directory:
Base: o=trx
Scope: SUBTREE
Filter: (&(objectClass=groupOfNames)(cn=Group_Name))
(You should manually verify whether it's "groupOfNames" or "posixGroup" or something else.)
Attributes: [member]
There is no universally supported way to match an entry's full DN using just the filter alone, although some servers implement that using operational attributes such as entryDN:
Base: o=trx
Scope: SUBTREE
Filter – Active Directory: (distinguishedName=cn=Group_Name,ou=groups,o=trx)
Filter – OpenLDAP: (entryDN=cn=Group_Name,ou=groups,o=trx)
Attributes: [member]
Finally, searching for user objects using memberOf= queries may or may not work depending on the server. Some LDAP servers do automatically maintain the inverse memberOf attributes on user objects; some do not; and in some it's a virtual attribute that can only be read but not matched.
Base: o=trx
Scope: SUBTREE
Filter: (memberOf=cn=Group_Name,ou=groups,o=trx)
Narrowing down by objectClass (standard) or objectCategory (AD-specific) is optional – use it if the group can contain other entries besides users and if you specifically want to ignore them. (Though usually a group can contain other nested groups and you want to chase them recursively, instead of ignoring them.)
Example: (&(objectClass=posixAccount)(memberOf=cn=Group_Name,ou=groups,o=trx))
Attributes: (whatever you need)

Related

ldapsearch - filtering ou in dn

I understand you can't simply filter on dn, but I have something like this:
dc=lvl3,dc=lvl2,dc=lvl1, and someone could have a dn like this:
CN=Last, First,OU=ou1,OU=retired,OU=ou1,DC=lvl3,DC=lvl2,DC=lvl1.
Is there a way I can filter results for those who do not have 'retired' in any ou?
No. Not as an LDAP filter.
You could of course do a search and then sort on the CLient-side.
Generally organization of "characteristics" of users should be done using Attributes and not by the Directory Structure.
Something like:
employeeType=Active
employeeType=Retired
employeeType=etc
To avoid these conditions.
Maybe, but it depends on the server's LDAP implementation.
There is a filter syntax which allows matching against DN attributes (in addition to entry attributes):
(ou:dn:=Retired)
(Within the LDAP specification this is known as the 'dnAttributes' field, part of the 'extensibleMatch' filter type. See RFC 4511 section 4.5.1.7.7)
Not all directory servers support this. For example, OpenLDAP handles it correctly, but Active Directory (MS AD and Samba) will ignore it, behaving as if you used (ou=Retired) instead.
If your server supports this, then a negative match is simply done by wrapping the filter in (!(...)) as you would normally do.
However, in other cases you should either a) use a custom attribute, or b) perhaps check for membership in a global "Active employees" group or something similar.

LDAP Search Wildcards in memberOf

We have an LDAP with a number of groups that follow this pattern:
Acme-MyApp-ABC-Admin
Acme-MyApp-ABC-Bottlewasher
Acme-MyApp-ABC-Cook
Acme-MyApp-DEF-Admin
Acme-MyApp-DEF-Bottlewasher
Acme-MyApp-DEF-Cook
etc repeated many times.
(&(objectClass=person)(memberOf=cn=Acme-MyApp-ABC-Admin,ou=Groups,dc=acme,dc=com))
correctly returns members of the Acme-MyApp-ABC-Admin group. We'd like to find members of all of the Admin groups.
(&(objectClass=person)(memberOf=cn=*-Admin,ou=Groups,dc=acme,dc=com))
Is it possible to put a wildcard within a DN?
Generally, Wildcard searches on DN's syntax attributes are not supported.
Some LDAP server implementation may support them. You question is tagged as OpenLDAP but the search filter appears to be more like an AD implementation.
I did find "Question about using an LDAP filter to get memberOf from an AD Group" on TechNet stating, ".. that wildcards are no allowed." (I am assuming he met NOT vs no)
-jim
While I do not think that this can be done with the ldap filter directly. I have faced similar requirements many times and my go to method is as following:
Create a group that encapsles all relevant groups, in your case the admin groups.
Acme-MyApp-Admins
Acme-MyApp-ABC-Admin
Acme-MyApp-DEF-Admin
Then setup a filter based on the recursive membership of that group.
(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=Acme-MyApp-Admins,ou=Groups,dc=acme,dc=com))
This way you only need to take care that every new admin group is added as a member of the access group, but you do not need to modify the ldap filter.

How to retrieve the ou of the group a user belongs to in LDAP

I have a series of users and groups. Users' DNs can be added to the group's uniquemember attribute. How can I query LDAP such that I send a user dn and it returns to me the OU of the group that user belongs to?
I am doing this based on the LDAP at ldap.forumsys.com.
See the screenshot below:
Thanks.
What you want is a pretty common equality match filter, for example:
(uniquemember=uid=einstein,dc=example,dc=com)
Note, that the value is not quoted. You only need to escape / replace special characters (e.g. parenthesis). More information about LDAP filter syntax can be found in RFC 4515.
Also keep in mind that LDAP filters are very simple and provide only simple value matching (this can be confusing to people used to SQL and complex queries with joins, subselects, functions, etc.).

LDAP query to enumerate of all users of the subgroups of a group

This LDAP query successfully enumerates all users within a group:
memberOf=CN=MySubGroup1,OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
The group MyGroup1 has two subgroups: MySubGroup1, MySubGroup2.
In order to get all the users of MyGroup1, I could make a query to get the users of MySubGroup1, another query to get the users of MySubGroup1, and then make the union.
However, I am asking how I can achieve the same results with only one LDAP query,
asking for all the users within MyGroup1 and sub-groups.
Any idea?
There is no such thing as a subgroup, just groups. The correct term is subordinate,
i.e., cn=mysubgroup1 is subordinate to ou=mygroup1, and so forth.
Use the following parameters in an LDAP search request:
base object: OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
search scope: sub if there is more than one 'level' beneath ou=mygroup1, one otherwise
filter: (|(cn=mysubgroup1)(cn=mysubgroup2))
requested attribute: whichever multi-valued attribute whose value is the distinguished name
of each member of the group
These search request parameters should result in a search result with two entries, the distinguished
of each entry, and the attributes whose values are the distinguished names of the members of each group.
see also
LDAP: Seach best practices
LDAP: Programming practices
If your server is Microsoft Active Directory then you can use some extended rules. One of those rules does basically what you are looking for. Look at this answer.
Try this:
memberof:1.2.840.113556.1.4.1941:=CN=Some Group,OU=My Organization Unit,DC=company,DC=com
Quoting from that answer:
[...] it is possible, when using Microsoft AD LDAP, to do authorization using nested groups by using LDAP_MATCHING_RULE_IN_CHAIN matching rule. This is much faster than searching subgroups on the client, because it is done on the DC server with less queries over network.
1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN This rule is limited to filters that apply to the DN. This is a special "extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

Regarding LDAP Search Query

Let's suppose that I want to search a number say 123 and LDAP has entries like 123# or 1-2-3. What should be the LDAP Search filter which needs to be provided? I tried *123* but it doesn't work in case of 1-2-3.
LDAP does not have "entries like 123#", it has entries identified by distinguished names that contain attributes. To search for an an entry that contains a value, you must provide the following parameters to a search request:
base object (distinguished name where the search should commence)
scope - base, one level subordinate to the base, or subtree (all entries subordinate to the base object
filter - an assertion that must evaluate to true in order for the entry to be returned to the client
attributes to return - a list of attributes that the LDAP client desires
If the attribute in question is named number and has a syntax of Integer and a matching rule of IntegerMatch, then the filter (number=123) will find an attribute named number with the integer value of 123. Which filter to use depends on the syntax and matching rule in the attribute type definition because the directory server performs the task of matching attribute values against provided filters with matching rules (as must applications, by the way). Programmers must not consider LDAP attribute values to be "strings", instead they must understand attribute syntaxes and matching rules. There is a DirectoryString syntax (with a very specific definition, though for many purposes it can be considered a garden-variety string) but not all attributes are defined with DirectoryString syntax. Nor do all attributes use the same matching rules and ordering rules.
see also
LDAP: ldapsearch
LDAP: Mastering search filters
LDAP: Programming Practices