I want to query LDAP for all users in a specific OU (call it OU = Anberlin)
This is my current approach:
(&(objectCategory=person)(objectClass=user)(memberOf=OU=Anberlin, DC=Domain, DC=local)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))
That should get all the enabled users in that OU right?
No, it won't. The memberOf attribute stores the list of groups the object is a member of.
All LDAP searches have a base DN value that you can pass as well as the query. Usually it's the whole domain, but if you set the base DN to your OU, then you will only get results from that OU.
So this is what you'd use for your search:
Base DN: OU=Anberlin,DC=Domain,DC=local
Query: (&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))
Related
Say, I want to retrieve some users and I have provided both user_filter & group_filter to filter out the specific users that I need.
user_filter = (&(cn=ab*)(sn=cd*))
group_filter = (|(cn=gh*)(cn=kl*))
I know how to write individual queries for user & group. How can I combine the above filters to write a single query such that I get the users whose common name starts with 'ab' and surname starts with 'cd' and they either belong to groups which start with 'gh' or 'kl'?
It depends how you have membership defined. If you have membership on the groups, eg. group1 has member attribute for user1, this combined query is not possible. If you have groups defined on the user, eg. user1 has memberOf attribute for group1, then you may do something like
(&(objectclass=user)(cn=ab*)(sn=cd*)(|(memberof=cn=gh*)(memberof=cn=kl*)))
I need to get all groups a member is assigned to via LDAP.
As filter I tried:
(&(objectClass=groupOfNames)(uniqueMember=uid=myUserName,ou=service,o=company,c=DE))
Unfortunal this doesn't work. Any ideas? Thank you.
uniqueMember is not an attribute of the objectClass groupOfNames, it's the attribute for objectClass groupOfUniqueNames.
member is the attribute for groupOfNames.
This said, several LDAP directory services do provide an operational attribute that list all the groups a user is member of, directly from the user entry.
In MS AD, it's the memberOf attribute. In OpenDJ and Sun Directory, it's the isMemberOf attribute.
I have a User1 in Domain1 which belongs to a group Group1.
Group1 belongs to a different domain Domain2.
Using the memberof attribute, I can easily see that User1 belongs to Group1. But memberof only gives me the values of OU and the domains which the group belongs.
e.g.
CN=Groupname,OU=ou1,DC=Domain1,DC=Domain2,DC=com
Does Domain1 store other information of Group1?
If yes how can I get sid or guid or any other information of the Group1 without connecting to Domain2?
Edit:
Both the domains are in trust relationship.
You can get also the SID and GUID by the "Extended DN" LDAP extended control.
Please check:
How to get AD user's 'memberof' property value in terms of objectGUID?
I need to display all the users in a specific OU.
I used the below filter, but it doesn't work.
(&(objectCategory=user)(ou=_Dorset,dc=andy,dc=com))
Thanks in advance.
To display all the entries subordinate to ou=_dorset, transmit a search request to the server with the following parameters:
base object: ou=_Dorset,dc=andy,dc=com
search scope: subtree
filter: (objectCategory=user)
the list of attributes to retrieve
Some users in my LDAP Directory have several uids assigned as such:
dn: uid=user1,ou=People,o=org
uid: user1
uid: nick1
dn: uid=user2,ou=People,o=org
uid: user2
uid: nick2
While trying to get uid for these users using ActiveLdap (like User.uid) I only get the first uid attr as it is DN attribute.
Is it possible with ActiveLdap to get both of them?
i just ran into this a couple weeks ago:
Query all the users in a system with LDAP
It is not an ActiveLDAP issue per say.
Here is the thing, and I will hopefully save you some time. with your ldap schema, as is, what you have is a unique dn for every user. So, in effect, if you have 100,000 users, you have 100,000 folders, each identified at the top level as unique by id. if your schema was setup like this:
dn: category=active,ou=People,o=org
uid: uid1
uid: nick1
then you could query all the active users for overlapping uid because the filter would filter down to active users and select from that the users with uid attributes of x.
As it is, you can only get at the top level dn, so each filter will filter one user, so its useless. What I did is actually query my flatfile backup of the ldap database and extracted information that way. i used basic ruby and just split records on newlines, and made a big array, if I remember correctly. We had about 130,000 records and was able to get my query in about 2 seconds from the flat file.