ldapquery an Active Directory server for users that belongs to a group named X

When I do this at the bash prompt on a CentOS 6.4

ldapsearch -LLL -H ldap://adserver.example.com -x -D [email protected] -w somepass -b 'OU=Users,DC=example,DC=com' '(&(objectClass=person)(sAMAccountName=testuser))'

I get

dn: CN=TestUser Surname,OU=Area,OU=Users,DC=example,DC=com
...
objectClass: person
...
cn: TestUser Surname
sn: Surname
...
distinguishedName: CN=TestUser Surname,OU=Area,OU=Users,DC=example,DC=com
...
memberOf: CN=Group1,OU=Area,OU=Users,DC=example,DC=com
memberOf: CN=Gropu2,OU=Users,DC=example,DC=com
...
sAMAccountName: testuser

I want to get a response only if testuser belongs to a group named X, irrespective of where group X is located in the AD hierarchy. For instance: I want the data of a user called testuser that is a member of a group named Group1.

I have tried changing the filters to:

1. (&(objectClass=person)(sAMAccountName=testuser)(memberOf=CN=Group1*))
2. (&(objectClass=person)(sAMAccountName=testuser)(memberOf=*Group1*))

to no avail.

You can see from the output above, testuser belongs to the groups

1. CN=Group1,OU=Area,OU=Users,DC=example,DC=com
2. CN=Gropu2,OU=Users,DC=example,DC=com.

When I use the filter '(&(objectClass=person)(sAMAccountName=testuser)(memberOf=CN=Group1,OU=Area,OU=Users,DC=example,DC=com))' it works, but I need a query with the group name only (not using the full "path").

Is there any way to do it?

I'm trying to do this because I need to use Active Directory defined groups as squid (the linux proxy) ACLs. To do that, I need to define an external ACL type such as

external_acl_type ADGroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "OU=Users,DC=example,DC=com" -D [email protected] -w somepass -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=CN=%g,OU=Users,DC=example,DC=com))" -h adserver.example.com

and then use the type to define ACLs such as this

acl ADGroup_Group1 external ADGroup Group1
acl ADGroup_Group2 external ADGroup Group2
...
http_access allow ADGroup_Group1;
http_access deny ADGroup_Group2;

When squid is checking this "allow", it will substitute %u with the user login name and %g with the group name defined in the ACL (Group1,Group2) and then make the LDAP query above.

As you can see from above "http_access allow ADGroup_Group1;" will work as intended, but "http_access deny ADGroup_Group2;" won't work, because of the parent OU of Group1 and Group2 being different.

So I have 3 alternatives:

1. Find a filter that work's for any group name, irrespective of path (this question)
2. Move (potencially) ALL AD Groups to the same OU (ugh... to move an object to a different OU WILL bring me more work as then I have to readjust GPOs -or at least to check already defined GPOs for any change this king move can bring)
3. Define (potencially) an external_acl_type for every OU with Groups. (In this case, I will have N external processes just to check a change of path in the LDAP filter)

...And LDAP filters on distinguishedName do not support wildcards.

Well in that case, I want what an ldap query does when there are many records that match the filter, to return the info of every one of them. Besides, in the case of "normal" AD LDAP, this query is guaranteed to give only one result (you can't have two groups with the same name, AD won't let you, even when LDAP does).

To expand on Yanko's note... AD does support multiple groups with the same common name (the names used by Windows 2000 Server and above tools). However, pre-Windows 2000 tools, such as NET GROUP, rely on the legacy sAMAccountName AD attribute that has to be globally unique. So, you can create a group called MY_GROUP in an OU called THIS_OU, and it'll assume a sAMAccountName of MY_GROUP. You can then create a second group called MY_GROUP in an OU called THAT_OU, but its sAMAccountName can't be MY_GROUP. You can assign it a sAMAccountName of whatever you like.