Is there a filter in LDAP that would let me filter out users that don't have a groupMembership? I can find information on filtering by group, but I'd like to say "if a user is not in any groups, then don't include them".
That would be something like: (&(objectClass=person)(!(groupMembership=*))). That just asks for all users where groupMembership is not present. Assuming groupMembership is a backlinked attribute on the user.
Not all directories store a static attribute on the user for each group they are a member of.
eDirectory for example stores Member on the Group, listing the users who are members. It stores GroupMembership on the user, listing all the groups the user is a member of.
Active Directory on the other hand stores Member on the Group but does not statically store the group membership data on the User. Rather it defines a dynamic attribute on the user, called MemberOf, that is evaluated, each time you query for the attribute.
That is, when you ask AD for the value of that attribute, it does an LDAP query in the background that is functionally something like (&(objectClass=Group)(Member=cn=MyUser,ou=MyOU,dc=domain,dc-local))
Thus the attribute is MemberOf, but I am not certain that a query for (!(memberOf=*)) would work, since that implies doing that implicit query on every object, which could be painful.
Related
My question is very similar to how to get groups of a user in ldap but I want to be able to search a group whose member has attribute foo with value bar
ie, from the previous question instead of doing (&(objectClass=groupOfNames)(member=cn=root,ou=django,dc=openldap))
I want to do something like
(&(objectClass=groupOfNames)(member=sn=bar))
but it seems only the full DN can be used for such query. Is there another way to find groups for user matching a pattern?
Since memberOf is available to you, you can search for the users instead of the groups:
(&(objectClass=person)(sn=bar))
(You might have to change the objectClass depending on what it is for users. I'm used to Active Directory, not OpenLDAP.)
Then you can read the memberOf attribute of the users you find.
Update: If you just want to find members of that group with that attribute then you can do it in one query by using memberOf in the query, and looking for the DN of the group:
(&(objectClass=person)(sn=bar)(memberOf=CN=MyGroup,DC=whatever))
New to LDAP. The way our LDAP is arranged is People and groups. The people have user information such as name, uid, and mail. The groups have group name and multiple member field which has value like cn=First Last,cn=people,dc=comic,dc=com, listing the People that are members of the group.
Currently starting with userid and password, doing two searches:
1) Get user by searching on People base domain on uid=value. Then from the user get the first and last name.
2) Search on Groups base domain based on member=cn=First Last,cn=People,dc=comic,dc=com and iterate over the list of group objects returned to the group name field.
Am just wondering is there way to do all this in one search or are two searches necessary?
Unfortunately you cannot do what would like in one operation.
Also, what you are doing will not always work. Instead of retrieving the users first and last name you should retrieve their distinguished name (dn attribute) and do your group search based on that. First and last names can be modified within LDAP and can happen due to marriage / divorce / etc.
It is possible, provided that you implement a Reverse Group Membership Maintenance Overlay.
To determine which groups an entry is a member of without performing extra searches, the memberOf overlay is exactly what you need.
The memberof overlay updates an attribute (by default memberOf)
whenever changes occur to the membership attribute (by default member)
of entries of the objectclass (by default groupOfNames) configured to
trigger updates. Thus, it provides maintenance of the list of groups
an entry is a member of, when usual maintenance of groups is done by
modifying the members on the group entry.
You may find this Server Fault post useful for a how to.
Once you have memberOf attribute ready to be used, you may have to run ldapmodify manually on each group entries, but just once, so that all members entries can be provisioned with the corresponding group dn in their respective memberOf attribute.
Finally, to perform a group membership search for a given user, you would just search for the user entry and iterate the memberOf attribute to get group dn's.
Is it possible to return the SaMAccountAttribute of members along with the distinguished name when querying the members of a group?
I have the query (&(objectCategory=group)(cn=group)) but it just returns the distinguished names of each user. I'm trying to avoid having to query each user just to get the needed attribute.
Nope it is not possible natively. That is the way the LDAP protocol works.
There is no join between requests.
Another approach could be :
Retrieve the DN of the group corresponding to the filter (&(objectCategory=group)(cn=group))
Search for all the users with a filter like : (&(objectClass=user)(memberof=<GROUP DN>)) and retrieve the samAccountName attribute only.
You will have the attribute you need, and every entry returned by a LDAP search should be accompanied by its DN.
I am new to LDAP (AD) and I wonder how can I retrieve all users of a group if the users itself doesn't have the "memberof" attribute (which should link to the group I think)?
Following LDAP Structure
- Users
- UserA (memberof=Group1)
- UserB (memberof=Group1,memberof=Group2)
- UserN ...
- Groups
- Group1 (member=UserA,member=UserB)
- Group2 (member=UserB)
- GroupX ...
- AppGroups
- App1 (member=UserA,member=UserB)
- AppX ...
So how can I query only the users which are members of App1 group from AppGroups if the users don't have the attributes memberof for this group?
I am trying to achive this with Alfresco. Querying the groups is no problem but I can't find a way to also sync the users (and only the users of the group App1)?
Thank you in advance!
You can either form a query that asks the server to retrieve all users whose memberof attribute contains your group's distinguished name, or, you can turn the logic around and ask the server to give you the member attribute of the group. The member attribute on a group contains all members' distinguished names. You can then obtain additional information about the users by reading the objects one-by-one.
Performance-wise, this is much slower, but if there is no memberof attribute on the users themselves, this might be the only option for you.
The 'memberOf' attribute is supported by the memberOf overlay, if:
you have configured it
you have modified the memberships of this DN since you installed the overlay. It isn't retrospective.
What is the search filter to list users belong to specific group like "engineering" in a ldap server which don't have backlink enabled.
For example, if backlink enabled i can use following filter,
(&(objectClass=person)(memberOf=cn=engineering,ou=Groups,o=company,o=com))
Wanted to know corresponding search query without using memberOf attribute.
Thanks
DarRay
Try your filter as:
(&(objectClass=group)(cn=engineering))
using a base of
ou=Groups,o=company,o=com
and a scope of subtree
Returning attribute "member"
Or even more efficient:
(objectClass=group)
With a base of
cn=engineering,ou=Groups,o=company,o=com
and a scope of base
Returning attribute "member"
-jim
The main question is: How are the users linked to groups?
One way is by specifying the users as attributes in the group. That can be done either via the uniqueMember- or the memberUid-Attribute. To find the users of a certain group you will have to use two queries. One query will retrieve the DNs or UIDs of the users of a group by fetching the uniqueMember or memberUid attribute of the group in question depending on your setup. Then you can retrieve the users by either using (&(objectclass=person)(uid=<uid>)) or (&(objectclass=person)(dn=<dn>)).
The other way is by storing the grous as attributes in the user, which you described above.
Hope that helps.