You should be able to create a query with this filter here:
(&(objectClass=user)(sAMAccountName=yourUserName)
(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))
and when you run that against your LDAP server, if you get a result, your user "yourUserName" is indeed a member of the group "CN=YourGroup,OU=Users,DC=YourDomain,DC=com
Try and see if this works!
If you use C# / VB.Net and System.DirectoryServices, this snippet should do the trick:
DirectoryEntry rootEntry = new DirectoryEntry("LDAP://dc=yourcompany,dc=com");
DirectorySearcher srch = new DirectorySearcher(rootEntry);
srch.SearchScope = SearchScope.Subtree;
srch.Filter = "(&(objectClass=user)(sAMAccountName=yourusername)(memberOf=CN=yourgroup,OU=yourOU,DC=yourcompany,DC=com))";
SearchResultCollection res = srch.FindAll();
if(res == null || res.Count <= 0) {
Console.WriteLine("This user is *NOT* member of that group");
} else {
Console.WriteLine("This user is INDEED a member of that group");
}
Word of caution: this will only test for immediate group memberships, and it will not test for membership in what is called the "primary group" (usually "cn=Users") in your domain. It does not handle nested memberships, e.g. User A is member of Group A which is member of Group B - that fact that User A is really a member of Group B as well doesn't get reflected here.
Marc
Your LDAP structure looks strange.
what is the class of objects like cn=group1
? is this "organizationalUnit" or "group"?
In usual Directories users are created under objects based on the "organizationalUnits" class, and for administrative needs they are grouped in an attribute called "member" of objects of the class "group".
In this case the LDAP filter would be like :
(&(objectClass=group)(member=uid={0},cn=users,o=fund,C=NO))
With the architecture you discribe you may have a look to a feature called ExtensibleMatch which seems to be correctly explained in this wiki article .
Best Answer
The only way I found to do this was to make a query for an empty attribute array, then loop and increment a counter.