Cannot query ldap/AD for group members

Question

Using ActiveDirectory and ldap3 from Python, I am trying to retrieve a list of group members. Realizing that this is a common question, I tried many of the solutions posted here and on Google.

Here's my situation:

Directory setup:

Using ldap3, this code correctly return a list of users:

server = Server('ricktestad2.mydomain.org')
conn = Connection(server, 'Admin', 'xxxxxx', client_strategy=SAFE_SYNC, auto_bind=True)
obj_person = ObjectDef(['person', 'organizationalPerson', 'user'] , conn)
r = Reader(conn, obj_person, 'OU=Users,OU=ricktestad2,DC=ricktestad2,DC=mydomain,DC=org')
r.search()

Using this code to retrieve the members of group 'rds.eval.mda.admin' returns 0 entries:

cn2='OU=Users,OU=ricktestad2,DC=ricktestad2,DC=mydomain,DC=org'
conn2 = Connection(server, 'Admin', 'xxxxxx', client_strategy=SAFE_SYNC, auto_bind=True)
conn2.search(
    search_base=cn2,
    search_filter='(&(objectCategory=group)(CN=rds.eval.mda.admin))',
    search_scope='SUBTREE',
    attributes = ['member'])

I've tried countless permutations of the cn and filter with no success.

Any suggestions?

score 0 · Accepted Answer · answered Aug 12 '21 at 11:52

Solution 1:memberOf (in AD) is stored as a list of distinguishedNames. Your filter needs to be something like:

(&(objectCategory=user)(memberOf=cn=MyCustomGroup,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com))

If you don't yet have the distinguished name, you can search for it with:

(&(objectCategory=group)(cn=myCustomGroup))

Solution 2:

For Active Directory users, an alternative way to do this would be -- assuming all your groups are stored in OU=Groups,DC=CorpDir,DC=QA,DC=CorpName -- to use the query (&(objectCategory=group)(CN=GroupCN)). This will work well for all groups with less than 1500 members. If you want to list all members of a large AD group, the same query will work, but you'll have to use ranged retrieval to fetch all the members, 1500 records at a time.

For more reference check these link1 and link2

Solution 3:Example using a modern ldapsearch command line tool:

ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
   --sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
   --bindPasswordFile ~/.pwdFile \
  '(isMemberOf=cn=persons,ou=groups,dc=example,dc=com)' 1.1
dn: uid=terrygardner,ou=people,dc=example,dc=com
dn: uid=user.0,ou=people,dc=example,dc=com
dn: uid=user.1,ou=People,dc=example,dc=com
dn: uid=user.10,ou=People,dc=example,dc=com

This search response indicates that there are several member of the group whose distinguished name is cn=persons,ou=groups,dc=example,dc=com.

Your second example under solution 1 is exactly how my filter is set up in my question above. I also tried the first example with the same result. No entries were returned. I think my dn is the issue but I am not sure. — rboarman, Aug 12 '21 at 15:55
Also, the maximum number of members in a group would be about 50. — rboarman, Aug 12 '21 at 15:55
Could you please check is there any whitespaces inside query if it is there remove it. Also make sure you have the right DN? .Make sure you are searching from the root of the Domain. — ShrutiJoshi-MT, Aug 13 '21 at 06:07

Cannot query ldap/AD for group members

1 Answers1