OpenLDAP : retrieve members of a group

Question

I enabled memberof module in openldap. Added two groups and some members under them. (groupOfNames)

When I printed the members of a particular group using the filter (&(objectClass=groupOfNames)(cn=bowlers)), it prints only the first member of the group though it has got multiple members.

How to list all members of a group?

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Sierraware
dc: example

# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9NFZXYit2MlVBS2xRVUdBOWVjK2IrSHBac3VpYnV6ZlM=

# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

# Groups, example.com
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

# adam, People, example.com
dn: uid=adam,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: adam
sn: hanks
givenName: adam
cn: Adam hanks
displayName: Adam hanks
uidNumber: 10000
gidNumber: 5000
userPassword:: YWRhbWxkYXA=
gecos: Adam hanks
loginShell: /bin/bash
homeDirectory: /home/adam

# john, People, example.com
dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: doe
givenName:: am9obiA=
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword:: am9obmxkYXA=
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john


# wahab, People, example.com
dn: uid=wahab,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: wahab
sn: riyaz
givenName:: d2FoYWIg
cn: Wahab Riaz
displayName: Wahab Riaz
uidNumber: 10008
gidNumber: 5008
userPassword:: d2FoYWJsZGFw
gecos:: V2FoYWIgUmlheiA=
loginShell: /bin/bash
homeDirectory: /home/wahab

# sachin, People, example.com
dn: uid=sachin,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: sachin
sn: ramesh
givenName:: c2FjaGluIA==
cn: Sachin Ramesh
displayName: Sachin Ramesh
uidNumber: 10009
gidNumber: 5009
userPassword:: c2FjaGlubGRhcA==
gecos:: U2FjaGluIFJhbWVzaCA=
loginShell: /bin/bash
homeDirectory: /home/sachin

# bowlers, People, example.com
dn: cn=bowlers,ou=People,dc=example,dc=com
objectClass: groupOfNames
cn: bowlers
description: IT security group
member: cn=wahab,ou=People,dc=example,dc=com
member: cn=sachin,ou=People,dc=example,dc=com

Your example data doesn't appear to have any entry with `cn=mygroup`. — 84104, Apr 16 '16 at 02:39

fghj · Answer 1 · 2016-04-15T12:11:34.817

For example if you have such group:

dn: cn=people-admins,ou=groups,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: admins of people group
cn: people-admins
uniqueMember: uid=test1,ou=people,dc=example,dc=com
uniqueMember: uid=test2,ou=people,dc=example,dc=com

you can print all of it's member with:

ldapsearch -x -LLL -H ldap://127.0.0.1:3000/  -b dc=example,dc=com -s sub '(&(objectClass=inetOrgPerson)(memberof=cn=people-admins,ou=groups,dc=example,dc=com))' -D "cn=admin,dc=example,dc=com" -w admin uid
dn: uid=test1,ou=people,dc=example,dc=com
uid: evgeniy

dn: uid=test2,ou=people,dc=example,dc=com
uid: test2

Update

In my case ldapsearch not work with your test data, because of such my configuration:

# Load memberof module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof

# Backend memberOf overlay
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf

So I change your test data to:

dn: cn=bowlers,ou=People,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: bowlers
description: IT security group
uniqueMember: uid=wahab,ou=People,dc=example,dc=com
uniqueMember: uid=sachin,ou=People,dc=example,dc=com

and then:

ldapsearch -x -LLL -H ldap://127.0.0.1:3000/  -b dc=example,dc=com -s sub '(memberof=cn=bowlers,ou=People,dc=example,dc=com)' -D "cn=admin,dc=example,dc=com" -w admin uid
dn: uid=wahab,ou=People,dc=example,dc=com
uid: wahab

dn: uid=sachin,ou=People,dc=example,dc=com
uid: sachin

so you have to configure your memberof overlay to work with groupOfNames or change it class to groupOfUniqueNames

How do i get the dn of the group? I dont see "distinguishedname" attribute in openldap. — user2402244, Apr 15 '16 at 10:49
you can run `ldapsearch -x -LLL -H ldap://127.0.0.1:3000/ -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" ` without parameters and see all content of you database, and find out `dn` of you group — fghj, Apr 15 '16 at 10:52
when i use memberof, i get the following in return. The member list is empty — user2402244, Apr 15 '16 at 11:04
# extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetOrgPerson)(memberof=cn=bowlers,ou=People,dc=example,dc=com)) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 — user2402244, Apr 15 '16 at 11:05
if `ldapsearch` give you nothing, then you need update your question with description of you ldap tree, because of on my test tree this works fine. — fghj, Apr 15 '16 at 11:16

OpenLDAP : retrieve members of a group

1 Answers1