0

I am trying to use ldapjs node library to search a user inside the group but this doesn't seems working. This is the ldap property:

{
  "dn": "CN=TOM H,OU=GLO_Users,OU=GLOBAL,OU=SITES,OU=Engineering,DC=example,DC=com",
  "controls": [
    
  ],
  "sAMAccountName": "toma",
  "objectClass": [
    "top",
    "person",
    "organizationalPerson",
    "user"
  ],
  "cn": "TOM H",
  "sn": "H",
  "memberOf": [
     "CN=g.some_group,OU=Distribution Groups,OU=Groups,OU=Corp,OU=Common,DC=example,DC=com",
   ]
....
....

I am trying to serch for a user whose sAMAccountName is "toma" and is memberOf group "g.some_group".

I have written this query for this purpose:

const opts = {
   filter: '(&(sAMAccountName=toma)(memberOf=CN=g.some_group))',
   scope: 'sub'
};

const client = ldap.createClient(url: 'some_ldap_server');

client.bind(...);

clinet.search("DC=example,DC=com", opts, (err, res) => {
   res.on('serchEntry', (entry: any) => {
      console.log("entry " + JSON.stringify(entry.object));
  })
  res.on('end', function(result: any) {
      console.log('status: ' + result); 
  });
});

This doesn't result any result. This just prints:

status: {"messageID":2,"protocolOp":"LDAPResult","status":0,"matchedDN":"","errorMessage":"","referrals":[],"controls":[]}

It seems there is some mistake in my query:

const opts = {
   filter: '(&(sAMAccountName=toma)(memberOf=CN=g.some_group))',
   scope: 'sub'
};

Can anyone please help me here.

undefined
  • 3,464
  • 11
  • 48
  • 90

1 Answers1

1

You'll notice in the output of the object, the memberOf attribute contains the entire distinguished name (DN) of the group. That's what you need to include in the query. You're only including the CN portion in your query, which is why it isn't matching.

const opts = {
   filter: '(&(sAMAccountName=toma)(memberOf=CN=g.some_group,OU=Distribution Groups,OU=Groups,OU=Corp,OU=Common,DC=example,DC=com))',
   scope: 'sub'
};
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Quick question... can it support regular expression? – undefined Jul 30 '20 at 12:32
  • No, not regular expressions. For most attributes, you can use `*` as a wildcard on the beginning or end, but not on attributes like `memberOf`, `member`, `manager`, etc. that have a distinguished name. Those can only be `=*` to indicate "has a value", or the full distinguished name. – Gabriel Luci Jul 30 '20 at 13:07
  • @GabrielLuci - are you willing to entertain any offer for an Active Directory job in the U.S., by any chance? :-) – T-Heron Sep 29 '21 at 16:13
  • @T-Heron I'm flattered! :) But I'm really not in a position to change jobs at the moment. – Gabriel Luci Sep 29 '21 at 18:52
  • @GabrielLuci - no worries. Will check back in again in the future. :-) – T-Heron Sep 30 '21 at 01:26