6

I am trying to get all the groups that a certain user is a member of.

I have the following structures in ldap:

o=myOrganization
     ou=unit1
         cn=admin
         cn=guess

and

ou=users
    cn=ann
    cn=bob
    cn=carla
  • myOrganization is an instance of Organization
  • unit1 is an instance of OrganizationUnit
  • admin and guess are both GroupOfNames and have everyone as a member
  • ann, bob, and carla are instances of Person

Currently, I am using the ldap module on python and this is what I have:

import ldap
l = ldap.initialize("ldap://my_host")
l.simple_bind_s("[my_dn]", "[my_pass]")
ldap_result = l.search("[BASE_DN]", ldap.SCOPE_SUBTREE, "(&(objectClass=Person)(cn=ann))", None)
res_type, data = l.result(ldap_result, 0)
print(data)

And I am able to get the user ann; but, how do I go about getting the groups Ann belongs to?

I tried, the following from this page:

search_filter='(|(&(objectClass=*)(member=cn=ann)))'
results = l.search_s([BASE_DN], ldap.SCOPE_SUBTREE, search_filter, ['cn',])

But I got an empty list. I also tried various combinations of queries, but they all return empty.

PS: I am using OpenLDAP on a linux machine

Rodolfo
  • 573
  • 2
  • 8
  • 18
  • _I tried the following from this page... But had no success_. How, exactly, was the listed query unsuccessful? Empty results? Error message? – John Gordon Oct 24 '16 at 18:58
  • Also, are you only looking for groups in which ann is a _direct_ member? (What if ann is a member of a group which is itself a member of another group?) – John Gordon Oct 24 '16 at 19:00
  • Are you using Windows / Active Directory? If you are, I would suggest using the `pyad` package. I know that it's not particularly helpful to your exact question, but I've found `pyad` to be a much nicer interface than python-ldap. This would be as simple as `user.get_membersOf()` which also allows you to specify a scope and whether or not to include subgroups recursively. – sytech Oct 24 '16 at 19:02
  • @JohnGordon I get an empty list when I run the query from the website, and I am only looking for direct members. I will update my question to make it clearer – Rodolfo Oct 24 '16 at 19:04
  • @sytech I am using openldap on a linux machine – Rodolfo Oct 24 '16 at 19:04
  • I know you specify OpenLDAP, but in case it might help someone else as I struggle very long because of it... With Active Directory you need the distinguishedName all along to get the users with a given membership with such a search_filter... I ultimately find this Q&A that says the same : https://stackoverflow.com/questions/6195812/ldap-nested-group-membership – Richard Jan 31 '18 at 01:13

1 Answers1

5

member=cn=ann is not enough. You have to use ann's full DN, probably something like this:

member=cn=ann,ou=users,dc=company,dc=com
John Gordon
  • 29,573
  • 7
  • 33
  • 58
  • That worked!, another thing that I had to change was `(objectClass=Person)` to `(objectClass=groupOfNames)` – Rodolfo Oct 24 '16 at 19:10