I need to get all groups a member is assigned to via LDAP.
As filter I tried:
(&(objectClass=groupOfNames)(uniqueMember=uid=myUserName,ou=service,o=company,c=DE))
Unfortunal this doesn't work. Any ideas? Thank you.
uniqueMember is not an attribute of the objectClass groupOfNames, it's the attribute for objectClass groupOfUniqueNames.
member is the attribute for groupOfNames.
This said, several LDAP directory services do provide an operational attribute that list all the groups a user is member of, directly from the user entry.
In MS AD, it's the memberOf attribute. In OpenDJ and Sun Directory, it's the isMemberOf attribute.
Related
In my application the users are split in 2 macro categories: Customer and Backoffice, every category has a subset of role, for example MANAGER and USER for Customer type and different ones for the Backoffice type.
So a user could be a Customer with a MANAGER role or a Backoffice with, for example, a SALES role.
Every Spring + Cognito guide on web uses cognito:groups to map the Spring ROLE, but for my case I would need to nest groups which is not possible on Cognito.
I've been thinking to use 2 custom attributes ( writable only by the admin) to set the category and role of the user respectively.
My question is, is there any disadvantage to using attributes instead of the groups?
One major concern is, those custom attributes won't be available as claims in the access token. But groups are available. So If you plan to use acces_token you may have to consider that.
There are some other minor considerations that I can think of, which may or may not be related your implementation:
Maximum number of custom attributes per user pool is 50.
Once created, you can not edit the name, min/max length and mutable property of the custom attribute. Also we can not delete that.
Even though nested groups are not supported in Cognito, is it not an option to create groups like: category_role? example: Customer_ MANAGER?
I am trying to figure out how to query AD for a group and get its memberOf attribute to show all the members, even cross-domain ones.
I will give an example:
I have two domains:
one.company.com
two.company.com
I have three groups:
one\group1
one\group2
two\group3
one\group1 is a member of one\group2 and two\group3
I am trying to write a query to find all memberOf for one\group1.
No matter what query I try, the memberOf attribute only returns one\group2.
<GC://DC=company,DC=com>;(&(objectCategory=group)(objectClass=group)(distinguishedName=CN=group1,OU=....,DC=one,DC=company,DC=com));name,memberOf;subtree
<GC://DC=one,DC=company,DC=com>;(&(objectCategory=group)(objectClass=group)(distinguishedName=CN=group1,OU=....,DC=one,DC=company,DC=com));name,memberOf;subtree
<LDAP://DC=company,DC=com>;(&(objectCategory=group)(objectClass=group)(distinguishedName=CN=group1,OU=....,DC=one,DC=company,DC=com));name,memberOf;subtree
<LDAP://DC=one,DC=company,DC=com>;(&(objectCategory=group)(objectClass=group)(distinguishedName=CN=group1,OU=....,DC=one,DC=company,DC=com));name,memberOf;subtree
I am trying to do it this way because ultimately there are multiple groups I want to get memberOf for so if I can get this to work then I can just put them all in (|...) in the search filter and only make one call.
I want to query LDAP for all users in a specific OU (call it OU = Anberlin)
This is my current approach:
(&(objectCategory=person)(objectClass=user)(memberOf=OU=Anberlin, DC=Domain, DC=local)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))
That should get all the enabled users in that OU right?
No, it won't. The memberOf attribute stores the list of groups the object is a member of.
All LDAP searches have a base DN value that you can pass as well as the query. Usually it's the whole domain, but if you set the base DN to your OU, then you will only get results from that OU.
So this is what you'd use for your search:
Base DN: OU=Anberlin,DC=Domain,DC=local
Query: (&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))
I added the Connection Roles entity to my solution but there is no button to create a new field. Is it not possible? I need to be able to add a "Weight" to Connection Roles. I need the ability to have reports that are sorted by the Connection Role "weight".
For example, I would assign a weight value of 1 to the Connection Role of CEO, 2 to VP, 3 to Director, etc. Then when I pull the report I can sort by that field, so that the contacts display in order of seniority. Thanks.
The Connection Role entity is not customizable; it is not even possible to create custom relationships with it.
Adding the entity to a solution serves no purpose. In fact every solution already has a Connection Role node by default and all that is customizable can be done there.
Connection Roles are used in the Connection entity, which in fact is customizable. An option could be to add a custom weight field there.
I have a User1 in Domain1 which belongs to a group Group1.
Group1 belongs to a different domain Domain2.
Using the memberof attribute, I can easily see that User1 belongs to Group1. But memberof only gives me the values of OU and the domains which the group belongs.
e.g.
CN=Groupname,OU=ou1,DC=Domain1,DC=Domain2,DC=com
Does Domain1 store other information of Group1?
If yes how can I get sid or guid or any other information of the Group1 without connecting to Domain2?
Edit:
Both the domains are in trust relationship.
You can get also the SID and GUID by the "Extended DN" LDAP extended control.
Please check:
How to get AD user's 'memberof' property value in terms of objectGUID?