When I do this at the bash prompt on a CentOS 6.4
ldapsearch -LLL -H ldap://adserver.example.com -x -D someuser@example.com -w somepass -b 'OU=Users,DC=example,DC=com' '(&(objectClass=person)(sAMAccountName=testuser))'
I get
dn: CN=TestUser Surname,OU=Area,OU=Users,DC=example,DC=com
...
objectClass: person
...
cn: TestUser Surname
sn: Surname
...
distinguishedName: CN=TestUser Surname,OU=Area,OU=Users,DC=example,DC=com
...
memberOf: CN=Group1,OU=Area,OU=Users,DC=example,DC=com
memberOf: CN=Gropu2,OU=Users,DC=example,DC=com
...
sAMAccountName: testuser
I want to get a response only if testuser belongs to a group named X, irrespective of where group X is located in the AD hierarchy. For instance: I want the data of a user called testuser that is a member of a group named Group1.
I have tried changing the filters to:
- (&(objectClass=person)(sAMAccountName=testuser)(memberOf=CN=Group1*))
- (&(objectClass=person)(sAMAccountName=testuser)(memberOf=*Group1*))
to no avail.
You can see from the output above, testuser belongs to the groups
- CN=Group1,OU=Area,OU=Users,DC=example,DC=com
- CN=Gropu2,OU=Users,DC=example,DC=com.
When I use the filter '(&(objectClass=person)(sAMAccountName=testuser)(memberOf=CN=Group1,OU=Area,OU=Users,DC=example,DC=com))' it works, but I need a query with the group name only (not using the full "path").
Is there any way to do it?
I'm trying to do this because I need to use Active Directory defined groups as squid (the linux proxy) ACLs. To do that, I need to define an external ACL type such as
external_acl_type ADGroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "OU=Users,DC=example,DC=com" -D someuser@example.com -w somepass -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=CN=%g,OU=Users,DC=example,DC=com))" -h adserver.example.com
and then use the type to define ACLs such as this
acl ADGroup_Group1 external ADGroup Group1
acl ADGroup_Group2 external ADGroup Group2
...
http_access allow ADGroup_Group1;
http_access deny ADGroup_Group2;
When squid is checking this "allow", it will substitute %u with the user login name and %g with the group name defined in the ACL (Group1,Group2) and then make the LDAP query above.
As you can see from above "http_access allow ADGroup_Group1;" will work as intended, but "http_access deny ADGroup_Group2;" won't work, because of the parent OU of Group1 and Group2 being different.
So I have 3 alternatives:
- Find a filter that work's for any group name, irrespective of path (this question)
- Move (potencially) ALL AD Groups to the same OU (ugh… to move an object to a different OU WILL bring me more work as then I have to readjust GPOs -or at least to check already defined GPOs for any change this king move can bring)
- Define (potencially) an external_acl_type for every OU with Groups. (In this case, I will have N external processes just to check a change of path in the LDAP filter)
Best Answer
Unfortunately not. The common name of an LDAP object isn't globally unique; it's only unique relative to its parent OU. So, if you could ask if a user was a member of a group, based on a CN of a group, you could potentially get multiple results.
It's for this reason that the memberOf attribute of a user object is a list of DNs (distinguished names, or full X.500 paths).