6

i am using openldap with phpldapadmin, and i'm trying to check what are the groups of a certain user. this is my scheme ...

Ldap Scheme

this is what i tried, but it didn't work

docker-compose exec openldap ldapsearch -x -H "ldap://openldap" -D "cn=admin,dc=openldap" -w admin -b "cn=root,ou=django,dc=openldap" '(&(objectClass=*)(member=cn=superuser,ou=groups,dc=openldap))'

PS: i'm new to ldap, this is the image i'm using

Mohamed Benkedadra
  • 1,964
  • 3
  • 21
  • 48

5 Answers5

11

There are tons of literature on LDAP and queries, that explain how to search for groups, with examples.

First the baseDN (-b) should be the top of your hierarchy: dc=openldap.

Second, you're searching from groups, so the filter should include (objectclass=groupOfNames)

Finally, you're searching for the groups a user is member of, and the filter should be (member=cn=root,ou=django,dc=openldap)

The resulting query is then:

ldapsearch -x -H "ldap://openldap" -D "cn=admin,dc=openldap" -w admin -b "dc=openldap" '(&(objectClass=groupOfNames)(member=cn=root,ou=django,dc=openldap))'

This will return the group entries. If you are only interested in the name, add   dn at the end of the query.

Ludovic Poitou
  • 4,788
  • 2
  • 21
  • 30
  • groups is an ou that i greated .. why should i add this ? objectclass=groupOfNames – Mohamed Benkedadra Jul 21 '18 at 09:44
  • 2
    If you search under ou=groups, with a subtree scope, for all entries, the ou=groups entry will be returned. If you just want the groups, you need to specify a proper filter such as `(objectclass=groupOfNames)` (or whatever objectClass value used for your groups). – Ludovic Poitou Apr 05 '19 at 08:52
  • 1
    Could you link to some decent _literature on LDAP and queries_ – tread Aug 05 '21 at 08:45
  • The bible is and remains "Understanding and Deploying LDAP Directory Services, 2nd Edition" by Tim Howes, Mark Smith and Gordon Good. It's old but still relevent – Ludovic Poitou Sep 20 '21 at 05:46
6

To get groups of user for user1 this search filter should be enough:

(&(memberUid=user1))

However note that group search attrribute may be different based on open ldap configuration. It can be member, uniqueMember, memberUid etc

enter image description here

ozanmut
  • 2,898
  • 26
  • 22
  • memberUid is an attribute of the posixGroup. Not all groups are posixGroup. But with posixGroup, the suggested filter is the simplest one. – Ludovic Poitou May 25 '23 at 16:24
2

Not sure why the accepted answer does not work for me. And the command works for me is:

ldapsearch -H "ldap://$server" -x -D "$user" -w "xxxx" -b "baseDN"  "(cn=notMe)" memberof
4t8dds
  • 565
  • 7
  • 19
0

Other variants of LDAP may require you to use:-b ou=Group,dc=example,dc=com

ldapsearch -h ldap -D cn=admin,dc=example,dc=com -x -w password -b ou=Group,dc=example,dc=com -s sub '(&(objectClass=groupOFNames)(memberuid=user1))' DN
Anil
  • 2,539
  • 6
  • 33
  • 42
Chin Seran
  • 1
  • 1
    Please have a read of [this](https://stackoverflow.com/editing-help) help page about how to format code properly. – costaparas Jan 23 '21 at 03:44
0

In our LDAP, instead of groupOfNames/member I had to use groupOfUniqueNames/uniqueMember. The query is then:

ldapsearch -x -H "ldap://openldap" -D "cn=admin,dc=openldap" -w admin -b "dc=openldap" '(&(objectClass=groupOfUniqueNames)(uniqueMember=cn=root,ou=django,dc=openldap))'

Robert
  • 1,357
  • 15
  • 26