Query active directory Using Java for samaccountname's Tied to a Specific Group

Question

Hi the below LDAP query returns a list of members' "givenName", that are in a specific group. However, I would to return a list of members' "sAMAccountName", that are in a specific group. I'm not very familiar with LDAP and unsure how to accomplish this. Any help is appreciated.

    public LdapContext getLdapContext(){
        LdapContext ctx = null;
        String connection = null;
        try{
            Hashtable<String, String> env = new Hashtable<String, String>();
            env.put(Context.INITIAL_CONTEXT_FACTORY,
                    "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION, "Simple");
            env.put(Context.SECURITY_PRINCIPAL, "userPrincipalName");
            env.put(Context.SECURITY_CREDENTIALS, "Password");
            env.put(Context.PROVIDER_URL, "domainController");
            ctx = new InitialLdapContext(env, null);
            connection = "Connection Successful.";
        }catch(NamingException nex){
            connection = "LDAP Connection: FAILED";
            nex.printStackTrace();
        }
        this.getUserBasicAttributes("(&(objectClass=group)(CN=Users_Group))", ctx);
        return ctx;
    }

    private void getUserBasicAttributes(String groupID, LdapContext ctx) {
        try {
            String userName = null;
            String member = null;

            SearchControls constraints = new SearchControls();
            constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
            String[] attrIDs = {"member"};
            constraints.setReturningAttributes(attrIDs);
            NamingEnumeration answer = ctx.search("DC=Domain,DC=com", groupID, constraints);
            if (answer.hasMore()) {
                Attributes attrs = ((SearchResult) answer.next()).getAttributes();
                member = attrs.get("member").toString();
            }else{
                throw new Exception("Invalid Group");
            }
        } catch (Exception ex) {
            ex.printStackTrace();
        }
        return;
    }

Results of the above query look similar to below:

member: CN=FistName 
LastName,OU=ouData,OU=ouData,OU=ouData,DC=dcData,DC=dcData,DC=dcData, 
CN=FistName2 
LastName2,OU=ouData,OU=ouData,OU=ouData,DC=dcData,DC=dcData,DC=dcData, 
CN=FistName3 
LastName3,OU=ouData,OU=ouData,OU=ouData,DC=dcData,DC=dcData,DC=dcData, 
CN=FistName4 
LastName4,OU=ouData,OU=ouData,OU=ouData,DC=dcData,DC=dcData,DC=dcData

Hi there, this might be useful for your research: https://stackoverflow.com/questions/508014/active-directory-ldap-query-by-samaccountname-and-domain — Jim Steven, Jun 12 '17 at 22:42

score 0 · Answer 1 · answered Jun 13 '17 at 07:22

The code you pasted and the output you pasted do not retrieve the givenName attribute of the members. It only retrieves the dn of the members of the group which has cn=Users_Group.

The dn of your users are structured with the cn attribute of the user hence why you see CN=FistName LastName,OU=ouData,OU=ouData,OU=ouData,DC=dcData,DC=dcData,DC=dcData .

To retrieve the samAccountName of these users you now have to loop through these dn and retrieve the samAccountName attribute of each of the entries corresponding to the dn.

jwilleke · Accepted Answer · 2017-06-13T15:22:56.543

0

Since you are referencing "samAccountName" and therefore assuming you are using Microsoft Active Directory, you could use a filter (LDAP_MATCHING_RULE_IN_CHAIN) as:

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)

and return the "samAccountName" as an attribute. -jim

edited Jun 13 '17 at 15:22

answered Jun 13 '17 at 12:24

jwilleke

10,467
1
30
51

To implement this solution he will have to know the exact `dn` of the group and won't be able to search any group in the directory with the `cn=Users_Group` as the code suggests it (just pointing it in case it is the behaviour intended) – Esteban Jun 13 '17 at 12:44
Performing a search for one group is much simpler and more efficient than looping through perhaps 100s or 1,000s of members; right? – jwilleke Jun 13 '17 at 13:07
I don't know AD enough for that. If the memberOf attribute is indexed, yes you're right, if not, depends on the number of users, number of groups, frequency of this kind of request, number of groups which have `cn=Users_Group` matching. But what I was pointing out was the fact that the group `dn` could not be known before hand for whatever reason. So searching all the groups dn needed, and making a big filter with multiple `memberOf=groupdn` with a logical `OR` can be costly too. It was just a comment regarding what the code suggested – Esteban Jun 13 '17 at 13:16
Hi Jim, thanks this does give me back the sAMAccountName, however it only returns the name for one user and not all the users tied to that group. Do you know how I can pull back all the users for that group? – Toya Jun 13 '17 at 15:06
I couldn't quite get the matching rule to work, but I added a while loop to your first suggestion of using just the "memberOf=CN=GroupName, Ou...", and that got me what I needed. Thanks! – Toya Jun 13 '17 at 16:07

Query active directory Using Java for samaccountname's Tied to a Specific Group

2 Answers2