ldapquery an Active Directory server for users that belongs to a group named X
Unfortunately not. The common name of an LDAP object isn't globally unique; it's only unique relative to its parent OU. So, if you could ask if a user was a member of a group, based on a CN of a group, you could potentially get multiple results.
It's for this reason that the memberOf attribute of a user object is a list of DNs (distinguished names, or full X.500 paths).
Related videos on Youtube
Yanko Hernández Álvarez
Updated on September 18, 2022Comments
-
Yanko Hernández Álvarez over 1 year
When I do this at the bash prompt on a CentOS 6.4
ldapsearch -LLL -H ldap://adserver.example.com -x -D [email protected] -w somepass -b 'OU=Users,DC=example,DC=com' '(&(objectClass=person)(sAMAccountName=testuser))'
I get
dn: CN=TestUser Surname,OU=Area,OU=Users,DC=example,DC=com ... objectClass: person ... cn: TestUser Surname sn: Surname ... distinguishedName: CN=TestUser Surname,OU=Area,OU=Users,DC=example,DC=com ... memberOf: CN=Group1,OU=Area,OU=Users,DC=example,DC=com memberOf: CN=Gropu2,OU=Users,DC=example,DC=com ... sAMAccountName: testuser
I want to get a response only if testuser belongs to a group named X, irrespective of where group X is located in the AD hierarchy. For instance: I want the data of a user called testuser that is a member of a group named Group1.
I have tried changing the filters to:
- (&(objectClass=person)(sAMAccountName=testuser)(memberOf=CN=Group1*))
- (&(objectClass=person)(sAMAccountName=testuser)(memberOf=*Group1*))
to no avail.
You can see from the output above, testuser belongs to the groups
- CN=Group1,OU=Area,OU=Users,DC=example,DC=com
- CN=Gropu2,OU=Users,DC=example,DC=com.
When I use the filter '(&(objectClass=person)(sAMAccountName=testuser)(memberOf=CN=Group1,OU=Area,OU=Users,DC=example,DC=com))' it works, but I need a query with the group name only (not using the full "path").
Is there any way to do it?
I'm trying to do this because I need to use Active Directory defined groups as squid (the linux proxy) ACLs. To do that, I need to define an external ACL type such as
external_acl_type ADGroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "OU=Users,DC=example,DC=com" -D [email protected] -w somepass -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=CN=%g,OU=Users,DC=example,DC=com))" -h adserver.example.com
and then use the type to define ACLs such as this
acl ADGroup_Group1 external ADGroup Group1 acl ADGroup_Group2 external ADGroup Group2 ... http_access allow ADGroup_Group1; http_access deny ADGroup_Group2;
When squid is checking this "allow", it will substitute %u with the user login name and %g with the group name defined in the ACL (Group1,Group2) and then make the LDAP query above.
As you can see from above "http_access allow ADGroup_Group1;" will work as intended, but "http_access deny ADGroup_Group2;" won't work, because of the parent OU of Group1 and Group2 being different.
So I have 3 alternatives:
- Find a filter that work's for any group name, irrespective of path (this question)
- Move (potencially) ALL AD Groups to the same OU (ugh... to move an object to a different OU WILL bring me more work as then I have to readjust GPOs -or at least to check already defined GPOs for any change this king move can bring)
- Define (potencially) an external_acl_type for every OU with Groups. (In this case, I will have N external processes just to check a change of path in the LDAP filter)
-
kralyk almost 11 yearsjust out of curiosity, why not use the full path? Why would the Group1 object move around in AD?
-
jscott almost 11 years...And LDAP filters on distinguishedName do not support wildcards.
-
Yanko Hernández Álvarez almost 11 yearsWell in that case, I want what an ldap query does when there are many records that match the filter, to return the info of every one of them. Besides, in the case of "normal" AD LDAP, this query is guaranteed to give only one result (you can't have two groups with the same name, AD won't let you, even when LDAP does).
-
Simon Catlin almost 11 yearsTo expand on Yanko's note... AD does support multiple groups with the same common name (the names used by Windows 2000 Server and above tools). However, pre-Windows 2000 tools, such as NET GROUP, rely on the legacy sAMAccountName AD attribute that has to be globally unique. So, you can create a group called MY_GROUP in an OU called THIS_OU, and it'll assume a sAMAccountName of MY_GROUP. You can then create a second group called MY_GROUP in an OU called THAT_OU, but its sAMAccountName can't be MY_GROUP. You can assign it a sAMAccountName of whatever you like.