1

I am pretty new to python and active directory. I used a little bit of ldap3 to search the AD for the members of the group.

  1. Can I somehow check if the current user is in a specific AD group and if that is the case some more code executes?

  2. Is there a better way to get the distinguishedName, server connection etc.?

  3. Also i would like to not use any passwords or login information since i just dont want it to be in the code if that is even possible

The main problem for me is currently that i dont know and dont understand how to check for membership or if thats even possible

This is the Code i have now:

from ldap3 import Server, Connection, ALL
import ctypes

pw = '*********'

print()


def get_data(extended_name_format: int):
    get_user_name_ex = ctypes.windll.secur32.GetUserNameExW
    data = extended_name_format

    size = ctypes.pointer(ctypes.c_ulong(0))
    get_user_name_ex(data, None, size)

    name_buffer = ctypes.create_unicode_buffer(size.contents.value)
    get_user_name_ex(data, name_buffer, size)
    return name_buffer.value


displayName = get_data(3)
distinguishedName = get_data(1)
print(displayName)
print(distinguishedName)
print()

server = Server('**dom1.***.***', get_info=ALL)
conn = Connection(server, auto_bind=True)
print(conn)

entries = conn.extend.standard.paged_search('CN=***,OU=***,OU=***,OU=***,DC=***,DC=***', '(member=*)', attributes=['member'], paged_size=5)
for entry in entries:
    print(entry)

if distinguishedName == entries:
    print('yay')
else:
    print('nope')
TimeLost
  • 11
  • 4
  • I think this question is well-presented, but you need to show some work about what you've _done_ to receive actionable help. Were you confused about `ldap3` documentation? Did you get an error message? etc. – Maximilian Burszley Feb 27 '23 at 14:41
  • I dont really get an error message the code works like it is but i do not know how to check for membership and i just dont find anything useful anywhere. @MaximilianBurszley – TimeLost Feb 27 '23 at 14:49

1 Answers1

0

The member attribute of a group contains the "distinguished name" of each member. That is a format that looks like CN=SomeUser,OU=Users,DC=example,DC=com.

You're already using GetUserNameExW to get the username. You can use that to get the distinguished name by passing a value of 1 for the NameFormat parameter, which corresponds to NameFullyQualifiedDN.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • I think i already do that. My value `adPath` is the distinguished name of the user. Can i just do some sort of: ```python if adPath == entry: ``` – TimeLost Feb 28 '23 at 06:36
  • Yes, that should work. – Gabriel Luci Feb 28 '23 at 12:20
  • I did this but that did not work: ```python if distinguishedName == entries: print('yay') else: print('nope') ``` and when i swap entries with entry it still always gives out "nope" even tho it should be correct since i have that role And my code doesnt really work if i delete the login information for the server thats another thing i try to do beacuse i just dont want to have my password somewhere in the code – TimeLost Feb 28 '23 at 12:46
  • `distinguishedName == entries` will always be false because you're comparing a string to an array. You need to check if the array contains the string. Just search Google and I'm sure you can find an example of that. – Gabriel Luci Feb 28 '23 at 16:03