-1

Is there a way to write an LDAP search filter string or base DN syntax to get user with matching sAMAccountName property when the target base DN's lowest elements are Group CNs (not actually users/Person objects)? Never worked with LDAP querying before, so don't have a great understanding on how to do this.

Have an AD path of Group CNs like...

DC=myorg,DC=local
    OU=datagroups
        OU=zones
            CN=group1
            CN=group2
            ...

...and have two parameters that I have available for matching against the a login string:

  • A single base DN (eg. OU=zones,OU=datagroups,DC=myorg,DC=local) that will be accepted as a base arg by a python-ldap.search_s() function.
  • A search filter string to act on that base DN and return a single user/Person with matching sAMAccountName that will be used as the filterstr arg in the python-ldap.search_s() function. The default format is 'sAMAccountName={login}'

Have also tried

base_dn = OU=zones,OU=datagroups,DC=myorg,DC=local
search_filter = (&(sAMAccountName={login})(|(memberOf=CN=zone1,OU=zones,OU=datagroups,DC=myorg,DC=local)(memberOf=CN=zone2,OU=zones,OU=datagroups,DC=myorg,DC=local)))

to no avail.

Anyone with more experience know how I can do this? Anything I appear to be misunderstanding about the situation (since again, I don't work w/ LDAP querying very often)?

lampShadesDrifter
  • 3,925
  • 8
  • 40
  • 102
  • If you have a default format why are you changing it? `{login}=sAMAccountName` is back to front. Attribute name comes first. – user207421 Apr 07 '21 at 07:40
  • @user207421 It actually is `sAMAccountName={login}` in my code. I did not know it mattered though, thanks. I just wrote it the other way in this post, since again did not know it mattered (edited the post here to reflect). – lampShadesDrifter Apr 07 '21 at 07:45
  • Well it should work as long as you're specifying subtree search and those `memberOf` tests match. – user207421 Apr 07 '21 at 07:48
  • @user207421 Yes, I think you are right. The question is a post is a bit outdated as I am working on debugging something related that I think may be the underlying issue and will update (and hopefully answer) once that is done. – lampShadesDrifter Apr 07 '21 at 08:32

1 Answers1

0

After learning more about how LDAP queries work from others...

Base DN needs to be where the object you want is found not the groups. memberOf and sAMAccountName are properties of the user object so the query you are writing is saying something like...

"search OU=zones,OU=datagroups,DC=myorg,DC=local for any object that has the property sAMAccountName of {login} and the memberOf property of CN=zone1,OU=zones,OU=datagroups,DC=myorg,DC=local or CN=zone2,OU=zones,OU=datagroups,DC=myorg,DC=local".

Groups contain a member property that will give you all the user DNs but they do not usually contain the sAMAccoutName in them so you would need to get all the members of each group then look up the object properties for each member.

I thus changed my baseDN to be DC=myorg,DC=local to get it to search the whole domain for the objects.

lampShadesDrifter
  • 3,925
  • 8
  • 40
  • 102