10

How do I filter an Active Directory LDAP query to groups containing the authenticated/bound user (or any user at all)? This works fine:

(&(objectClass=group)(member=*))
>>> lots of results

But I can't go any more detail:

(&(objectClass=group)(member=*S*))
>>> nothing

The MSDN mentions using a filter like this:

(member:1.2.840.113556.1.4.1941:=(cn=user1,cn=users,DC=x))

But even ignoring the crazy hyper magic number involved in that, I always get 0 results when I try to filter with that (even replacing cn=user1,cn=users,DC=x with my own distinguishedName, even replacing it with *).

Stuart P. Bentley
  • 10,195
  • 10
  • 55
  • 84
  • The MSDN Search Filter Syntax page linked in @JPBlanc's answer below *lists* the crazy hyper magic number, but it doesn't *explain* it. The *explanation* is that it's a node in the obscure, worldwide [OID](https://en.wikipedia.org/wiki/Object_identifier) standard administered by ISO and ITU-T, of which LDAP is [one of the few prominent uses](https://en.wikipedia.org/wiki/Object_identifier#Usage). See http://www.oid-info.com/cgi-bin/display?tree=1.2.840.113556.1.4.1941 for a structural breakdown of each number's significance. – Stuart P. Bentley Mar 08 '17 at 01:52

2 Answers2

11

You need the full DN of the user i.e

(&(member=CN=Your Name,OU=Your OU,DC=company,DC=com)(objectClass=group))

take note you cannot use * in this one

Raymund
  • 7,684
  • 5
  • 45
  • 78
5

So the crazy hyper magic number involved in recursive search is explained in Search Filter Syntax.

To find in one search (recursively) all the groups that "user1" is a member of:

  • Set the base to the groups container DN; for example root DN (dc=dom,dc=fr)
  • Set the scope to subtree
  • Use the following filter: (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)

explicited using LDIFDE.EXE the command line tool included in Windows Server it gives:

ldifde -f user1Grps.ldf -d "dc=societe,dc=local" -r "(member:1.2.840.113556.1.4.1941:=cn=user1,ou=Monou,dc=societe,dc=local)"

If you are running that on a W2K8 or W2K8 R2 server be careful to run as administrator.

If you are programming in C# you can use:

/* Retreiving a principal context
 */
Console.WriteLine("Retreiving a principal context");
PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, "WM2008R2ENT:389", "dc=dom,dc=fr", "jpb", "PWD");


/* Look for all the groups a user belongs to
 */
UserPrincipal aUser = UserPrincipal.FindByIdentity(domainContext, "user1");
PrincipalSearchResult<Principal> a =  aUser.GetAuthorizationGroups();

foreach (GroupPrincipal gTmp in a)
{
  Console.WriteLine(gTmp.Name);    
}
Stuart P. Bentley
  • 10,195
  • 10
  • 55
  • 84
JPBlanc
  • 70,406
  • 17
  • 130
  • 175