How do I query large security groups with LDAP?

Question

LDAP Library: python-ldap

I am trying to query a security group with around 1,000 users to get the list of members. These are my search preferences I am using to query a security group.

Filter: (&(objectCategory=Group)(distinguishedName=cn=SomeGroup,dc=foo,dc=bar))
base dn: cn=SomeGroup,dc=foo,dc=bar
attributes: ['member']

I know that this query works with smaller groups because I have tested it and received the list of members it contains.

I have also tried implementing paged group searching, but it doesn't return anything in its payload and instead returns an empty error message. My paging size is 1 so getting too many users with paging shouldn't be a problem. I have tested my paged searching on organizationalUnits(OU) so I know it's implemented correctly.

Any help or suggestions would be greatly appreciated.

Yeah the error I get is a timeout error. My timeout is high enough that it should finish the query. — Gare Bear, Jul 16 '13 at 18:59
did you test with ldapsearch or with cURL, so you can see if the problem is with your client library or with the server? — sqlab, Jul 20 '13 at 13:23

score 1 · Answer 1 · answered Jul 13 '13 at 11:41

1

To get a list of members of a specific group, you should use a memberof search filter:

Filter: (&(memberof=cn=SomeGroup,dc=foo,dc=bar))
Attributes: whatever you want to know about the members
Base DN: I recommend to set this to your directory root (dc=foo,dc=bar) to ensure you get the complete list of members

If you want to do it the opposite way ( reading the members' distinguished names from the group ) you should perform a read operation with a dummy filter (objectclass=*) and the base DN set to the distinguished name of the group, and requesting the member attribute.

answered Jul 13 '13 at 11:41

Robert Rossmann

11,931
4
42
73

I am actually doing the latter method you suggested. Just because this avoids me having to scan through all of the users that can be contained in AD. I tried the dummy filter but that didn't change anything – Gare Bear Jul 16 '13 at 19:01
For anyone trying the former method (memberof attribute): LDAP idiosyncrasy: a user's "primaryGroup" is NOT listed in member of. So you really need two distinct queries and "union" them together to be sure you get all members. '(&(objectCategory=person)(objectClass=user)(primaryGroupID=' + l_primaryGroupToken where you determine l_primaryGroupToken with another search. http://stackoverflow.com/questions/21550704/how-to-retrieve-group-by-primarygrouptoken-from-active-directory-using-php – Justin Mar 05 '15 at 16:17
In case it might help someone else as I struggle very long because of it... With Active Directory you need the distinguishedName all along to get the users with a given membership (memberOf=) with such a search_filter... I ultimately find this Q&A that says the same : https://stackoverflow.com/questions/6195812/ldap-nested-group-membership. It doesn't work with just the CN or the group like specify in the filter example above. – Richard Jan 31 '18 at 01:21

How do I query large security groups with LDAP?

1 Answers1