Linux – ldapquery an Active Directory server for users that belongs to a group named X

When I do this at the bash prompt on a CentOS 6.4

ldapsearch -LLL -H ldap://adserver.example.com -x -D someuser@example.com -w somepass -b 'OU=Users,DC=example,DC=com' '(&(objectClass=person)(sAMAccountName=testuser))'

I get

dn: CN=TestUser Surname,OU=Area,OU=Users,DC=example,DC=com
...
objectClass: person
...
cn: TestUser Surname
sn: Surname
...
distinguishedName: CN=TestUser Surname,OU=Area,OU=Users,DC=example,DC=com
...
memberOf: CN=Group1,OU=Area,OU=Users,DC=example,DC=com
memberOf: CN=Gropu2,OU=Users,DC=example,DC=com
...
sAMAccountName: testuser

I want to get a response only if testuser belongs to a group named X, irrespective of where group X is located in the AD hierarchy. For instance: I want the data of a user called testuser that is a member of a group named Group1.

I have tried changing the filters to:

(&(objectClass=person)(sAMAccountName=testuser)(memberOf=CN=Group1*))
(&(objectClass=person)(sAMAccountName=testuser)(memberOf=*Group1*))

to no avail.

You can see from the output above, testuser belongs to the groups

CN=Group1,OU=Area,OU=Users,DC=example,DC=com
CN=Gropu2,OU=Users,DC=example,DC=com.

When I use the filter '(&(objectClass=person)(sAMAccountName=testuser)(memberOf=CN=Group1,OU=Area,OU=Users,DC=example,DC=com))' it works, but I need a query with the group name only (not using the full "path").

Is there any way to do it?

I'm trying to do this because I need to use Active Directory defined groups as squid (the linux proxy) ACLs. To do that, I need to define an external ACL type such as

external_acl_type ADGroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "OU=Users,DC=example,DC=com" -D someuser@example.com -w somepass -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=CN=%g,OU=Users,DC=example,DC=com))" -h adserver.example.com

and then use the type to define ACLs such as this

acl ADGroup_Group1 external ADGroup Group1
acl ADGroup_Group2 external ADGroup Group2
...
http_access allow ADGroup_Group1;
http_access deny ADGroup_Group2;

When squid is checking this "allow", it will substitute %u with the user login name and %g with the group name defined in the ACL (Group1,Group2) and then make the LDAP query above.

As you can see from above "http_access allow ADGroup_Group1;" will work as intended, but "http_access deny ADGroup_Group2;" won't work, because of the parent OU of Group1 and Group2 being different.

So I have 3 alternatives:

Find a filter that work's for any group name, irrespective of path (this question)
Move (potencially) ALL AD Groups to the same OU (ugh… to move an object to a different OU WILL bring me more work as then I have to readjust GPOs -or at least to check already defined GPOs for any change this king move can bring)
Define (potencially) an external_acl_type for every OU with Groups. (In this case, I will have N external processes just to check a change of path in the LDAP filter)

Best Answer

Unfortunately not. The common name of an LDAP object isn't globally unique; it's only unique relative to its parent OU. So, if you could ask if a user was a member of a group, based on a CN of a group, you could potentially get multiple results.

It's for this reason that the memberOf attribute of a user object is a list of DNs (distinguished names, or full X.500 paths).

Best Answer

Related Solutions

Windows – What’s the AD query syntax to enumerate all users for a particular group

Powershell – Find users belonging to more than one AD group

Related Topic