[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.

Andrew Bartlett abartlet at samba.org
Fri Sep 6 19:51:52 UTC 2019

On Fri, 2019-09-06 at 15:14 -0400, Mauricio Tavares via samba wrote:
> However, when I ask ldapsearch to tell me about raub,
> ldapsearch -vvv -H "ldaps://ldap.example.com" -D
> "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s
> sub "(uid=raub)"
> It will give me lots of exciting info about said user but not a
> single
> memberOf attribute. 

The rfc2307 mapping of unix group behaviour onto LDAP does not features
member of memberof attributes, just as /etc/passwd does not store
groups, but /etc/group stores group member usernames.

AD has member/memberOf as linked attributes, but even there is it more
complex, with nested groups only being fully calculated via the
operational tokenGroups attribute on the user DN (as a base search) and
only fully, finally resolved on a login via tokenGroups on the rootDSE.

I hope this clarifies things,

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list