ldap experts: how to get a list of groups a user is a member of within the entire forest?

Chere Zhou qzhou at isilon.com
Thu May 8 17:48:04 GMT 2003

Yes, this filter is better.  The result is a list of groups the user is a 
direct member of.  But it does not list nested groups.  I guess if groupA is 
a member of groupB, user chere is a member of groupA, I want a query on group 
membership of user chere, both groupA and groupB should be listed.

Another question is, in a group's member, the value can be 
member: CN=Chere Peony,CN=Users,DC=peony,DC=zhou,DC=com
member: CN=chere,CN=Users,DC=zhou,DC=com

See, it can be account name, full name, or SID number.  This is in my w2k 
domain.  Is this all normal?   Why do I have to use 
(member=cn=chere,cn=users,dc=zhou,dc=com), instead of (member=cn=chere,*)?  
Well, the (member=cn=chere,*) does not work, I don't know why.


On Wednesday 07 May 2003 10:29 pm, Stefan (metze) Metzmacher wrote:
> At 18:33 07.05.2003 -0700, Chere Zhou wrote:
> >I want to do this using openldap against w2k ADS.  I found from google,
> >somebody supporting ADSI from Microsoft said the following:
> >
> >- bind to the GC.
> >- do search using DirectorySearcher with the filter
> >"(&(objectClass=Group)(objectCategory=Group)(member=CN=My User...))".
> >
> >I do not have DirectorySearcher to test it with.  But using
> >net ads search -I <GC ip> \
> >"(&(objectClass=Group)(objectCategory=Group)(member=CN=chere))"
> >certainly "Got 0 replies".
> "(&(objectClass=Group)(objectCategory=Group)(member=CN=chere,CN=Users,DC=MY
> would be better...
> (that's not tested, but I think the member attribute holds the full DN.)
> >Anybody know how to do it, or is it not possible at all?  I hope one
> > search can recursively get all of the groups, rather than just the groups
> > the user is a direct member of.  I don't feel like looping through each
> > group to compare with.  Better solution than that is greatly appreciated.
> >
> >Chere
> metze
> ---------------------------------------------------------------------------
>-- Stefan "metze" Metzmacher <metze at metzemix.de>

More information about the samba-technical mailing list