LDAP query for membership in Active Directory Security Group

Question

Given a username and a group, I need a simple LDAP query to run that can query if the username is a member of an Active Directory security group.

Here is what I have tried, but it is not running:

<LDAP://DC=subdomain,DC=domain,DC=com>;(&(objectClass=user)(sAMAccountName=myusername)(memberof=CN=Domain Admins,OU=Users,DC=subdomain,DC=domain,DC=com))

Am I missing something? Single quotes around Domain Admins? Or something else?

Answer 1

Generally LDAP queries for groups require the fully distinguished name of the user and the Group.

If you know the specific group then a LDAP Query like:

ldapsearch -H ldaps://server.domain.com:636 -x -D "[email protected]" -W -b "CN=myusername,CN=Users,DC=domain,DC=com" -s sub -a always -z 1000 "(&(sAMAccountName=myusername)(Memberof=CN=Domain Admins,OU=Users,DC=subdomain,DC=domain,DC=com))" "objectClass"

That returns a DN implies there the user sAMAccountName=myusername is a member of that specific Group.

If no DNS are returned then there is not sAMAccountName=myusername that is a member of that specific group.

However, this would not include any nested groups.