1

I have a problem with a filter in LDAP. I want to retrieve all the users in a specified LDAP group. The LDIF is like this one:

dn: cn=engineering,ou=Groups,dc=domain,dc=com
objectClass: groupOfNames
cn: engineering
member: uid=alex,ou=Users,dc=domain,dc=com
member: uid=amy,ou=Users,dc=domain,dc=com
...

dn: uid=alex,ou=Users,dc=domain,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
cn: Alex Ander
gidNumber: 5000
homeDirectory: /home/alex
...

I've tried

(&(objectClass=user)
  (memberof=cn=engineering,OU=Users,DC=domain,DC=com))

but it doesn't work.

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
user2961042
  • 13
  • 1
  • 1
  • 3

1 Answers1

3

To retrieve all the members of the group, use the following parameters in a search request:

  • base object: cn=engineering,ou=Groups,dc=domain,dc=com
  • scope: base
  • filter: (&)
  • requested attributes: member

The response from the server (assuming the authorization state of the connection on which the search request is processed permits) will be a list of all the member attribute values in that group.

If the LDAP client requires the full entry of each of the members, then transmit a search search request for each member. The client has the DN, so only a base level scope is required, and list each attribute to be retrieved.

Alternatively:

  • base object: ou=users,dc=domain,dc=com
  • scope: one (if all objects are one level below ou=users)
  • filter: (&(objectClass=inetorgPerson)(memberOf=cn=engineering,ou=Groups,dc=domain,dc=com))
  • requested attributes, for example, cn, homeDirectory

The response from the (assuming the authorization state of the connection on which the search request is processed permits) will be a list of inetOrgPerson members that otherwise match the search parameters, such as being a member of that group.

see also

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
  • Thank you Terry, but the memberOf is not present on my LDAP server. I saw this article http://blog.oddbit.com/post/generating-a-memberof-attribute-for-posixgroups and the problem is that I can't add additional attributes. One person suggests me to to the first query to find all the UIDs and then create the string appending every usernames like (& (ou=Users) (| (uid=user1)(uid=user2) ... (uid=userN) ) ). This is VERY ugly but it seems to be the only solution. – user2961042 Nov 08 '13 at 16:11
  • Sadly Mr Gardner's site is no longer hosting this content,. – dlamblin Aug 31 '20 at 22:01