How to write LDAP query to test if user is member of a group

Question

I want to write an LDAP query which tests whether a user  sAMAccountName  is a member of a particular group  Is it possible to do that so that I get either 0 or 1 result records   I guess I can get all groups for the user and test each one for a match but I was wondering if I could pack it into one LDAP expression   Any ideas   Thanks

User · Answer

You must set your query base to the DN of the user in question, then set your filter to the DN of the group you're wondering if they're a member of. To see if jdoe is a member of the office group then your query will look something like this:

ldapsearch -x -D "ldap_user" -w "user_passwd" -b "cn=jdoe,dc=example,dc=local" -h ldap_host '(memberof=cn=officegroup,dc=example,dc=local)'

If you want to see ALL the groups he's a member of, just request only the 'memberof' attribute in your search, like this:

ldapsearch -x -D "ldap_user" -w "user_passwd" -b "cn=jdoe,dc=example,dc=local" -h ldap_host **memberof**

User · Answer

You should be able to create a query with this filter here     amp  objectClass user  sAMAccountName yourUserName     memberof CN YourGroup OU Users DC YourDomain DC com     and when you run that against your LDAP server  if you get a result  your user  yourUserName  is indeed a member of the group  CN YourGroup OU Users DC YourDomain DC com  Try and see if this works   If you use C    VB Net and System DirectoryServices  this snippet should do the trick   DirectoryEntry rootEntry   new DirectoryEntry  LDAP   dc yourcompany dc com     DirectorySearcher srch   new DirectorySearcher rootEntry   srch SearchScope   SearchScope Subtree   srch Filter      amp  objectClass user  sAMAccountName yourusername  memberOf CN yourgroup OU yourOU DC yourcompany DC com      SearchResultCollection res   srch FindAll     if res    null    res Count  lt   0        Console WriteLine  This user is  NOT  member of that group      else       Console WriteLine  This user is INDEED a member of that group        Word of caution  this will only test for immediate group memberships  and it will not test for membership in what is called the  primary group   usually  cn Users   in your domain  It does not handle nested memberships  e g  User A is member of Group A which is member of Group B - that fact that User A is really a member of Group B as well doesn t get reflected here   Marc

User · Answer

I would add one more thing to Marc s answer  The memberOf attribute can t contain wildcards  so you can t say something like  memberof CN SPS    and expect it to find all groups that start with  SPS

User · Answer

If you are using OpenLDAP  i e  slapd  which is common on Linux servers  then you must enable the memberof overlay to be able to match against a filter using the  memberOf XXX  attribute   Also  once you enable the overlay  it does not update the memberOf attributes for existing groups  you will need to delete out the existing groups and add them back in again   If you enabled the overlay to start with  when the database was empty then you should be OK

[ldap] How to write LDAP query to test if user is member of a group?

Examples related to ldap