0

I'm trying to write a single LDAP search filter to retrieve users who are member of a particular group.

We're running a custom LDAP implementation (running on OpenLDAP: slapd 2.4.40), where the relations between user and groups are mapped Group (memberUid) -> User (uid).

The user LDIF does not have memberOf attributes, which makes it impossible to use the usual approach of (&(objectClass=person)(memberOf=login_group))

The user LDIFs look like:

dn: uid=user1,ou=people,dc=example,dc=com
cn: user1
displayName:: User1
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
uidNumber: 2698
uid: user1

The group LDIF are like this:

dn: cn=login_group,ou=groups,dc=example,dc=com
gidNumber: 1643
objectClass: posixGroup
objectClass: top
objectClass: groupOfUniqueNames
cn: login_group
memberUid: user1
memberUid: user2

Is it possible to write a single LDAP query that does the equivalent to an SQL JOIN, or "IN" filter, ex.

SELECT u.* FROM user u WHERE u.uid IN (SELECT memberUid FROM group WHERE cn=login_group)

It must be a single query since it will be used to control access to a third-party portal, we can't change the client implementation.

André Fernandes
  • 969
  • 1
  • 10
  • 25
  • 1
    you can't do an SQL-like join in a single LDAP query. LDAP does not support this kind of sub-query logic. However, in a single query, you can search for members of a particular group: (&(objectClass=posixGroup)(cn=login_group)) When you run this filter, it will retrieve the login_group and its associated memberUid attributes, giving you a list of users in that group. in my opinion - schema should be modified to meet your requirents – Alexander Pavluchenko Aug 28 '23 at 15:42

0 Answers0