Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
470 views
in Technique[技术] by (71.8m points)

LDAP query for membership in Active Directory Security Group

Given a username and a group, I need a simple LDAP query to run that can query if the username is a member of an Active Directory security group.

Here is what I have tried, but it is not running:

<LDAP://DC=subdomain,DC=domain,DC=com>;(&(objectClass=user)(sAMAccountName=myusername)(memberof=CN=Domain Admins,OU=Users,DC=subdomain,DC=domain,DC=com))

Am I missing something? Single quotes around Domain Admins? Or something else?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Generally LDAP queries for groups require the fully distinguished name of the user and the Group.

If you know the specific group then a LDAP Query like:

ldapsearch -H ldaps://server.domain.com:636 -x -D "[email protected]" -W -b "CN=myusername,CN=Users,DC=domain,DC=com" -s sub -a always -z 1000 "(&(sAMAccountName=myusername)(Memberof=CN=Domain Admins,OU=Users,DC=subdomain,DC=domain,DC=com))" "objectClass"

That returns a DN implies there the user sAMAccountName=myusername is a member of that specific Group.

If no DNS are returned then there is not sAMAccountName=myusername that is a member of that specific group.

However, this would not include any nested groups.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...