12

I'm trying to use ldap3 with python to retrieve members of a group and also retrieve their sAMAccountName as we have mixed DN's (some with NTID and others with first/last name).

I've been trying this with no 0 luck, any help would be appreciated:

from ldap3 import Server, Connection, AUTO_BIND_NO_TLS, SUBTREE, BASE,
      ALL_ATTRIBUTES, ObjectDef, AttrDef, Reader, Entry, Attribute,
      OperationalAttribute import ldap3

conn = Connection(Server('adserver.com', port=389, use_ssl=False),
                  auto_bind=AUTO_BIND_NO_TLS, user='DOMAIN\\\NTID',
                  password='somepassword')

conn.search(search_base='CN=GROUPNAME,OU=Groups,OU=Resources,OU=Global,DC=adserver.com',
            search_filter='(objectCategory=person)', search_scope=SUBTREE,
            attributes = ['sAMAAccountName'], size_limit=0) 

print(conn.response_to_json())
sfjac
  • 7,119
  • 5
  • 45
  • 69
Jon
  • 131
  • 1
  • 1
  • 4

3 Answers3

18

Before you can search the members you must first pull down the list of members from the group itself. 

conn.search(
    search_base='CN=GROUPNAME,OU=Groups,OU=Resources,OU=Global,DC=adserver.com',
    search_filter='(objectClass=group)',
    search_scope='SUBTREE',
    attributes = ['member']
)

for entry in conn.entries:
    print(entry.member.values)

This will print out a list of members as distinguished names.

You will then need to perform a new search that iterates through each of the members and returns the sAMAccountName for each member.

Here is what the full code might look like (may need to be tweaked):

conn.search(
    search_base='CN=GROUPNAME,OU=Groups,OU=Resources,OU=Global,DC=adserver.com',
    search_filter='(objectClass=group)',
    search_scope='SUBTREE',
    attributes = ['member']
)

for entry in conn.entries:
    for member in entry.member.values:
        conn.search(
            search_base='OU=Global,DC=adserver.com',
            search_filter=f'(distinguishedName={member})',
            attributes=[
                'sAMAccountName'
            ]
        )

        user_sAMAccountName = conn.entries[0].sAMAccountName.values

        print(user_sAMAccountName)
general-gouda
  • 318
  • 3
  • 9
0

The entries found should be in the entries property of the Connection object. Try with print(conn.entries)

cannatag
  • 1,528
  • 11
  • 17
  • So this does give me the entries, my problem is that the entires look like this: `CN=Robh01,DC=com` AND `CN=Arman\, Lewis,DC=com` the first one is perfect, the second is bad since I need their NTID, I get a big mix of these, so I need to find a way to grab their sAMAccountName property from the group – Jon Dec 21 '15 at 18:49
  • Once you have the group members you must query each of them for the sAMAccountName attribute. – cannatag Dec 24 '15 at 06:12
0

sAMAccountName and cn might be the same in your directory, but they don't have to be.

cn_match = re.match(r"^CN=([a-zA-Z0-9-_ &\.]+),.*$", conn.entries[0].sAMAccountName.values)
cn = cn_match.group(1)

So you can use the regex above to simply parse out the cn name, but if you want to lookup sAMaccountName, you'll need to query the above aoutput against the value of the cn attribute and return the sAMAccountName value.

soinkleined
  • 76
  • 4