Retrieving group membership in LDAP - ldap

I am using a sample LDAP which is available online here.
I want to retrieve a user's group membership given their uid. In the example, Gauss (uid=gauss) is a member of the Mathematicians group (ou=mathematicians,dc=example,dc=com).
I tried several LDAP queries but I cannot seem to find the one that returns me the ou=mathematicians given the uid.
There are a lot of similar answers on SO but none seem to fit this very simple use case.
Thanks,
David.

You won't be able to retrieve the group membership by simply using the uid as the groupmemberships are stored using the uniqueMember-attribute which requires a complete DN as value. Therefore you'll have to use a searchfilter like uniqueMember=uid=gauss,dc=example,dc=com.
You might think "that's great, so I just add uid=gauss to the baseDN and I'm finished". You might not always have luck with that as it's not defined that users have to be located right in the baseDN. They might be distributed acros the complete LDAP-tree and then it's going to be tough. But when you already have searched for the user (IE for binding) you got the DN back "for free" so you can use that on.
Hope that helps!

Not sure if I get right what you want to do, but retrieving group membership is done by a filter similar to this one:
(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=<<<USER-DN>>>))
I always pull the user dn with a seperate search:
(&(objectCategory=person)(objectClass=user)(samaccountname=<<<USER LOGON NAME>>>))
I don't know if uid, dn and samaccountname can be used in every filter interchangeable, but try it with uid=<<>> instead.
See this article for details : https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

Related

row-level security based on logged in user's team

Is there a way to use a big query logged in user's other attributes (example: team) to restrict the rows in a table. Currenlty we have a row level security like below where in which we are making use of the native function session_user().
Looking to see if we could get something like session_team(). A different BQ Table has the user-team mapping.
CREATE OR REPLACE ROW ACCESS POLICY example_policy
ON dataset.tablename
GRANT TO ("group:groupname-group#company.com")
FILTER USING (employee_email <> session_user())
Are you perhaps referring to this cloud.google.com/bigquery/docs/… Use case is using the session_user() function. It is similar to the query you have posted.
But for group you can review this use case that uses the region as group. Possibly can be implemented with the group that similar to your use case.
Diagram in the documentation for reference:

LDAP limit user search on specific OUs

I have been wondering whether it is possible to limit OUs in search base. This is how my hierarchy looks like:
Now, my search base is: dc=prod,dc=prod,dc=co
Is there possibility to limit user search only to these:
OU=PROD,OU=SYS
OU=PROD,OU=Int
OU=UNIX
I'm a noob in this area, would be really welcome if someone could help.
Not sure if it is possible to use userSearchBase for multiple OUs (so far I understood that it is not possible, although for sssd I saw example which works)
I think some user search filter might do it but wasn't really successful unfortunately
Yes, you can limit the search base to multiple or single OU's.
Ranger does accept multiple search bases, for example:-
OU=PROD,OU=SYS,dc=prod,dc=prod,dc=co;OU=PROD,OU=Int,dc=prod,dc=prod,dc;OU=UNIX,dc=prod,dc=prod,dc=co
Few thing to note, it has to be separated by ";" and it needs full path including "dc" values.

LDAP Search Wildcards in memberOf

We have an LDAP with a number of groups that follow this pattern:
Acme-MyApp-ABC-Admin
Acme-MyApp-ABC-Bottlewasher
Acme-MyApp-ABC-Cook
Acme-MyApp-DEF-Admin
Acme-MyApp-DEF-Bottlewasher
Acme-MyApp-DEF-Cook
etc repeated many times.
(&(objectClass=person)(memberOf=cn=Acme-MyApp-ABC-Admin,ou=Groups,dc=acme,dc=com))
correctly returns members of the Acme-MyApp-ABC-Admin group. We'd like to find members of all of the Admin groups.
(&(objectClass=person)(memberOf=cn=*-Admin,ou=Groups,dc=acme,dc=com))
Is it possible to put a wildcard within a DN?
Generally, Wildcard searches on DN's syntax attributes are not supported.
Some LDAP server implementation may support them. You question is tagged as OpenLDAP but the search filter appears to be more like an AD implementation.
I did find "Question about using an LDAP filter to get memberOf from an AD Group" on TechNet stating, ".. that wildcards are no allowed." (I am assuming he met NOT vs no)
-jim
While I do not think that this can be done with the ldap filter directly. I have faced similar requirements many times and my go to method is as following:
Create a group that encapsles all relevant groups, in your case the admin groups.
Acme-MyApp-Admins
Acme-MyApp-ABC-Admin
Acme-MyApp-DEF-Admin
Then setup a filter based on the recursive membership of that group.
(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=Acme-MyApp-Admins,ou=Groups,dc=acme,dc=com))
This way you only need to take care that every new admin group is added as a member of the access group, but you do not need to modify the ldap filter.

How to retrieve the ou of the group a user belongs to in LDAP

I have a series of users and groups. Users' DNs can be added to the group's uniquemember attribute. How can I query LDAP such that I send a user dn and it returns to me the OU of the group that user belongs to?
I am doing this based on the LDAP at ldap.forumsys.com.
See the screenshot below:
Thanks.
What you want is a pretty common equality match filter, for example:
(uniquemember=uid=einstein,dc=example,dc=com)
Note, that the value is not quoted. You only need to escape / replace special characters (e.g. parenthesis). More information about LDAP filter syntax can be found in RFC 4515.
Also keep in mind that LDAP filters are very simple and provide only simple value matching (this can be confusing to people used to SQL and complex queries with joins, subselects, functions, etc.).

LDAP query to enumerate of all users of the subgroups of a group

This LDAP query successfully enumerates all users within a group:
memberOf=CN=MySubGroup1,OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
The group MyGroup1 has two subgroups: MySubGroup1, MySubGroup2.
In order to get all the users of MyGroup1, I could make a query to get the users of MySubGroup1, another query to get the users of MySubGroup1, and then make the union.
However, I am asking how I can achieve the same results with only one LDAP query,
asking for all the users within MyGroup1 and sub-groups.
Any idea?
There is no such thing as a subgroup, just groups. The correct term is subordinate,
i.e., cn=mysubgroup1 is subordinate to ou=mygroup1, and so forth.
Use the following parameters in an LDAP search request:
base object: OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
search scope: sub if there is more than one 'level' beneath ou=mygroup1, one otherwise
filter: (|(cn=mysubgroup1)(cn=mysubgroup2))
requested attribute: whichever multi-valued attribute whose value is the distinguished name
of each member of the group
These search request parameters should result in a search result with two entries, the distinguished
of each entry, and the attributes whose values are the distinguished names of the members of each group.
see also
LDAP: Seach best practices
LDAP: Programming practices
If your server is Microsoft Active Directory then you can use some extended rules. One of those rules does basically what you are looking for. Look at this answer.
Try this:
memberof:1.2.840.113556.1.4.1941:=CN=Some Group,OU=My Organization Unit,DC=company,DC=com
Quoting from that answer:
[...] it is possible, when using Microsoft AD LDAP, to do authorization using nested groups by using LDAP_MATCHING_RULE_IN_CHAIN matching rule. This is much faster than searching subgroups on the client, because it is done on the DC server with less queries over network.
1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN This rule is limited to filters that apply to the DN. This is a special "extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.