All geek questions in one place

How to filter an LDAP request for groups containing a specific user?

How to filter an Active Directory LDAP query into groups containing an authenticated / authenticated user (or any user at all)? This works great:

(&(objectClass=group)(member=*)) >>> lots of results

But I can not stop in more detail:

 (&(objectClass=group)(member=*S*)) >>> nothing

MSDN mentions the use of a filter as follows:

 (member:1.2.840.113556.1.4.1941:=(cn=user1,cn=users,DC=x))

But even ignoring the insane number of hyperways, I always get 0 results when I try to filter this out (even replacing cn=user1,cn=users,DC=x with my own distinguished name, even replacing it with * ).

+6
source share
2 answers

You need the full user DN ie

 (&(member=CN=Your Name,OU=Your OU,DC=company,DC=com)(objectClass=group))

note that you cannot use * in this

+6
source

Thus, the crazy hyper magic number involved in a recursive search is explained in the search filter syntax .

To find in one search (recursively) all groups in which "user1" is a member:

  • Install the base in the group container DN; e.g. root of DN (dc = dom, dc = fr)
  • Set Subtree Area
  • Use the following filter: (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)

using LDIFDE.EXE, the command line tool included with Windows Server gives:

 ldifde -f user1Grps.ldf -d "dc=societe,dc=local" -r "(member:1.2.840.113556.1.4.1941:=cn=user1,ou=Monou,dc=societe,dc=local)"

If you are running this on a W2K8 or W2K8 R2 server, be careful with administrative privileges.

If you are programming in C #, you can use:

 /* Retreiving a principal context */ Console.WriteLine("Retreiving a principal context"); PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, "WM2008R2ENT:389", "dc=dom,dc=fr", "jpb", "PWD"); /* Look for all the groups a user belongs to */ UserPrincipal aUser = UserPrincipal.FindByIdentity(domainContext, "user1"); PrincipalSearchResult<Principal> a = aUser.GetAuthorizationGroups(); foreach (GroupPrincipal gTmp in a) { Console.WriteLine(gTmp.Name); }
+3
source

Source: https://habr.com/ru/post/888461/

More articles:


All Articles