ldap experts: how to get a list of groups a user is a member
of within the entire forest?
Chere Zhou
qzhou at isilon.com
Thu May 8 17:48:04 GMT 2003
Yes, this filter is better. The result is a list of groups the user is a
direct member of. But it does not list nested groups. I guess if groupA is
a member of groupB, user chere is a member of groupA, I want a query on group
membership of user chere, both groupA and groupB should be listed.
Another question is, in a group's member, the value can be
member: CN=Chere Peony,CN=Users,DC=peony,DC=zhou,DC=com
member:
CN=S-1-5-21-583907252-823518204-725345543-41465,CN=ForeignSecurityPrincipals,DC=zhou,DC=com
member: CN=chere,CN=Users,DC=zhou,DC=com
See, it can be account name, full name, or SID number. This is in my w2k
domain. Is this all normal? Why do I have to use
(member=cn=chere,cn=users,dc=zhou,dc=com), instead of (member=cn=chere,*)?
Well, the (member=cn=chere,*) does not work, I don't know why.
Chere
On Wednesday 07 May 2003 10:29 pm, Stefan (metze) Metzmacher wrote:
> At 18:33 07.05.2003 -0700, Chere Zhou wrote:
> >I want to do this using openldap against w2k ADS. I found from google,
> >somebody supporting ADSI from Microsoft said the following:
> >
> >- bind to the GC.
> >- do search using DirectorySearcher with the filter
> >"(&(objectClass=Group)(objectCategory=Group)(member=CN=My User...))".
> >
> >I do not have DirectorySearcher to test it with. But using
> >net ads search -I <GC ip> \
> >"(&(objectClass=Group)(objectCategory=Group)(member=CN=chere))"
> >certainly "Got 0 replies".
>
> "(&(objectClass=Group)(objectCategory=Group)(member=CN=chere,CN=Users,DC=MY
>DOMAIN,DC=COM))"
>
> would be better...
>
> (that's not tested, but I think the member attribute holds the full DN.)
>
> >Anybody know how to do it, or is it not possible at all? I hope one
> > search can recursively get all of the groups, rather than just the groups
> > the user is a direct member of. I don't feel like looping through each
> > group to compare with. Better solution than that is greatly appreciated.
> >
> >Chere
>
> metze
> ---------------------------------------------------------------------------
>-- Stefan "metze" Metzmacher <metze at metzemix.de>
More information about the samba-technical
mailing list