LDAP command to delete all users attached to a group - ldap

Is there any LDAP command to delete all users attached to a specific group. Assume there are user1,user2,user3 assigned to group G1 . I want to delete all the users attached to group G1

Users are not attached to a group, entries are members of a group. To delete all entries that are members
of a group, execute a search that will return all of distinguished names that are members of the group:
make the base object of the search the distinguished name of the group
use (&) or (objectClass=*) for the filter. Some directory servers, for example Sun DSEE in certain
versions fail to properly parse the filter (&)
use base for the search scope
request the attribute type whose values are the distinguished names of the members of the groups. This varies,
but could be something like uniqueMember
Then, transmit a delete request for each distinguished name returned from the above search.
Some servers support referential integrity, if so, the members of the group will be deleted
at the same time as the entries are deleted.
See also
LDAP: Programming Practices
LDAP: Search best practices

Related

Searching for a user and associated groups on LDAP in one search

New to LDAP. The way our LDAP is arranged is People and groups. The people have user information such as name, uid, and mail. The groups have group name and multiple member field which has value like cn=First Last,cn=people,dc=comic,dc=com, listing the People that are members of the group.
Currently starting with userid and password, doing two searches:
1) Get user by searching on People base domain on uid=value. Then from the user get the first and last name.
2) Search on Groups base domain based on member=cn=First Last,cn=People,dc=comic,dc=com and iterate over the list of group objects returned to the group name field.
Am just wondering is there way to do all this in one search or are two searches necessary?
Unfortunately you cannot do what would like in one operation.
Also, what you are doing will not always work. Instead of retrieving the users first and last name you should retrieve their distinguished name (dn attribute) and do your group search based on that. First and last names can be modified within LDAP and can happen due to marriage / divorce / etc.
It is possible, provided that you implement a Reverse Group Membership Maintenance Overlay.
To determine which groups an entry is a member of without performing extra searches, the memberOf overlay is exactly what you need.
The memberof overlay updates an attribute (by default memberOf)
whenever changes occur to the membership attribute (by default member)
of entries of the objectclass (by default groupOfNames) configured to
trigger updates. Thus, it provides maintenance of the list of groups
an entry is a member of, when usual maintenance of groups is done by
modifying the members on the group entry.
You may find this Server Fault post useful for a how to.
Once you have memberOf attribute ready to be used, you may have to run ldapmodify manually on each group entries, but just once, so that all members entries can be provisioned with the corresponding group dn in their respective memberOf attribute.
Finally, to perform a group membership search for a given user, you would just search for the user entry and iterate the memberOf attribute to get group dn's.

Returning SaMAccount of members of a group

Is it possible to return the SaMAccountAttribute of members along with the distinguished name when querying the members of a group?
I have the query (&(objectCategory=group)(cn=group)) but it just returns the distinguished names of each user. I'm trying to avoid having to query each user just to get the needed attribute.
Nope it is not possible natively. That is the way the LDAP protocol works.
There is no join between requests.
Another approach could be :
Retrieve the DN of the group corresponding to the filter (&(objectCategory=group)(cn=group))
Search for all the users with a filter like : (&(objectClass=user)(memberof=<GROUP DN>)) and retrieve the samAccountName attribute only.
You will have the attribute you need, and every entry returned by a LDAP search should be accompanied by its DN.

LDAP SQL Extraction - "If" in AD group extract email

I have an OU with users within. I want to extract all the emails of those users. I'm using Softerra LDAP explorer. It seems that the extract option doesn't allow to do this "the easy way". So I'm looking at an SQL command to do this.
"cn=xxxx,ou=users,ou=sync,ou=accounts,dc=xx,dc=xxx,dc=net" this is a user. The email is in the "email" field.
The group is here: "CN=group,OU=server,DC=xx,DC=xxx,DC=net",ou=users,ou=sync,ou=accounts,dc=xx,dc=xxx,dc=net"
What command should allow extracting all "email" fields for only users within the group "group" ?
Would be very helpful
It depends on what is the entry
CN=group,OU=server,DC=xx,DC=xxx,DC=net",ou=users,ou=sync,ou=accounts,dc=xx,dc=xxx,dc=net
As you suggest by :
only users within the group "group"
It is a group with members, and a cross reference (ie. on each user entry you have a kind of memberOf attribute which contains the dn of the groups he is in)
Then you can search all users which match the filter :
(memberOf=CN=group,OU=server,DC=xx,DC=xxx,DC=net",ou=users,ou=sync,ou=accounts,dc=xx,dc=xxx,dc=net) and retrieve the mails attributes
If the directory you use does not maintain group membership, you will have to retrieve the users members DN, and make another request to retrieve the mails attributes of all these members
As you suggest by :
I have an OU with users within
It is a branch and all the users you want to retrieve are under this branch
Then you just have to search all the users under the subtree corresponding to this branch and retrieving the mails attributes.

How to list users which belongs to specific group in ldap without backlink enabled

What is the search filter to list users belong to specific group like "engineering" in a ldap server which don't have backlink enabled.
For example, if backlink enabled i can use following filter,
(&(objectClass=person)(memberOf=cn=engineering,ou=Groups,o=company,o=com))
Wanted to know corresponding search query without using memberOf attribute.
Thanks
DarRay
Try your filter as:
(&(objectClass=group)(cn=engineering))
using a base of
ou=Groups,o=company,o=com
and a scope of subtree
Returning attribute "member"
Or even more efficient:
(objectClass=group)
With a base of
cn=engineering,ou=Groups,o=company,o=com
and a scope of base
Returning attribute "member"
-jim
The main question is: How are the users linked to groups?
One way is by specifying the users as attributes in the group. That can be done either via the uniqueMember- or the memberUid-Attribute. To find the users of a certain group you will have to use two queries. One query will retrieve the DNs or UIDs of the users of a group by fetching the uniqueMember or memberUid attribute of the group in question depending on your setup. Then you can retrieve the users by either using (&(objectclass=person)(uid=<uid>)) or (&(objectclass=person)(dn=<dn>)).
The other way is by storing the grous as attributes in the user, which you described above.
Hope that helps.

Suborganizations and Unique id

I can succesfully authenticate my application with ApacheDS
But now i use only one domain.
I want to add subdomains or sub organizations under root domain.
For example a root organization as
dc=example,dc=com
and sub organizations dc=x
another sub organization dc=y
Now i can authenticate users using uid attribute
like:
user-search-filter="(uid={0})"
i use login name like user1, without an # extension
But i want to have suborganizations and i want to use user1#x.example.com
Is it possible and how?
My application is a spring application but i think subject is independent from my application side.
The attribute defined in the LDAP standards track for email addresses is mail, rfc822mailbox, or 0.9.2342.19200300.100.1.3 as defined in RFC4524. Perhaps your filter should be an attribute assertion using one of those types, for example, user-search-filter="mail={0}".
I am not sure what is meant by "manually". LDAP does not have a concept of organizations, only entries that might belong to an organization. These entries might have a mail attribute if the entry belongs to an objectClass that allows or requires the mail attribute. In other words, if your filter is mail={0} (which might become mail=user1#x.example.com), then a search using that filter (given the appropriate base object and scope) will return all entries that have a mail attribute with the value user1#x.example.com irrespective of where that user is located and irrespective of the value of the uid attribute.
If the users in an organization can identified some other way, perhaps by organization or other attribute, then the filter could be:
(&(uid={0})(o=x))
or
(&(uid={0})(o=y))
One way or another, the users' entry must be identifiable by the contents of the entry. The primary key in an LDAP database is the distinguished name (uid=abc,dc=x,dc=example,dc=com) but attributes in the entry can be used to tighten the filter. Some alternatives are:
use unique identifiers (all uid or mail values are unique in the database, therefore, only one is ever returned to a search request)
use an attribute to identify users in an organization (like o in the example filters above)
use a dynamic group to generate a list of users in an organization.
consider using an extensible match filter to make values in the distinguished names be part of the filtering process
see also
using ldapsearch - the article is about the ldapsearch command line tool, but the concepts are useful when constructing search requests
mastering search filters