LDAP group has 'member's but the members dont have the 'memberof' attribute

Question

I am new to LDAP (AD) and I wonder how can I retrieve all users of a group if the users itself doesn't have the "memberof" attribute (which should link to the group I think)?

Following LDAP Structure

- Users
   - UserA (memberof=Group1)
   - UserB (memberof=Group1,memberof=Group2)
   - UserN ...
 - Groups
   - Group1 (member=UserA,member=UserB)
   - Group2 (member=UserB)
   - GroupX ...
 - AppGroups
   - App1 (member=UserA,member=UserB)
   - AppX ...

So how can I query only the users which are members of App1 group from AppGroups if the users don't have the attributes memberof for this group?

I am trying to achive this with Alfresco. Querying the groups is no problem but I can't find a way to also sync the users (and only the users of the group App1)?

Thank you in advance!

Are you sure the LDAP server implements the memberOf Attribute? Not all LDAP server implementations provide MemberOf as an attribute. — jwilleke, Apr 17 '15 at 09:09
@jeemster yes because users have the memberOf attribute (seen in my structure) and they also can be queried/found using the `memberOf` attribute in the conditions. But they dont have the memberOf attribute for all groups (especially for the group I needed)! — Pali, Apr 17 '15 at 11:31

score 2 · Accepted Answer · answered Apr 16 '15 at 10:55

You can either form a query that asks the server to retrieve all users whose memberof attribute contains your group's distinguished name, or, you can turn the logic around and ask the server to give you the member attribute of the group. The member attribute on a group contains all members' distinguished names. You can then obtain additional information about the users by reading the objects one-by-one.

Performance-wise, this is much slower, but if there is no memberof attribute on the users themselves, this might be the only option for you.

Okay that's the answer I was looking for. The next challenge for me is building the query but for sure I will talk to our sysadmin why this group is missing in the user's `memberOf` attribute.Thank you random citizen! — Pali, Apr 16 '15 at 12:19

score 1 · Answer 2 · answered Apr 16 '15 at 09:48

1

The 'memberOf' attribute is supported by the memberOf overlay, if:

you have configured it
you have modified the memberships of this DN since you installed the overlay. It isn't retrospective.

answered Apr 16 '15 at 09:48

user207421

305,947
44
307
483

Thank you for the information. But I am not the sysadmin who manages the ldap so I dont know much about the setup. I can only browse the ldap directories and see the structure seen in my question. So is it generally possible to query the users and check if they are a member of the group `App1`? – Pali Apr 16 '15 at 10:13
Only under the conditions I have described. Absent that, you have no basis for expecting that the `memberOf` attribute will even exist. – user207421 Apr 16 '15 at 10:24
So I only can check memberships if the `memberOf` overlay is 1. installed/configured and 2. the user has a `memberOf` attribute refering to the group I want to check the membership? There is no other way and I will never be able to check the membership between `UserA` and the group `App1` in the ldap structure in my question? – Pali Apr 16 '15 at 10:50

LDAP group has 'member's but the members dont have the 'memberof' attribute

2 Answers2