LDAP query to enumerate of all users of the subgroups of a group

ldap

This LDAP query successfully enumerates all users within a group:

memberOf=CN=MySubGroup1,OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com

The group MyGroup1 has two subgroups: MySubGroup1, MySubGroup2.
In order to get all the users of MyGroup1, I could make a query to get the users of MySubGroup1, another query to get the users of MySubGroup1, and then make the union.

However, I am asking how I can achieve the same results with only one LDAP query,
asking for all the users within MyGroup1 and sub-groups.

Any idea?

Best Answer

There is no such thing as a subgroup, just groups. The correct term is subordinate, i.e., cn=mysubgroup1 is subordinate to ou=mygroup1, and so forth.

Use the following parameters in an LDAP search request:

base object: OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
search scope: sub if there is more than one 'level' beneath ou=mygroup1, one otherwise
filter: (|(cn=mysubgroup1)(cn=mysubgroup2))
requested attribute: whichever multi-valued attribute whose value is the distinguished name of each member of the group

These search request parameters should result in a search result with two entries, the distinguished of each entry, and the attributes whose values are the distinguished names of the members of each group.

DirectoryEntry rootEntry = new DirectoryEntry("LDAP://dc=yourcompany,dc=com");

DirectorySearcher srch = new DirectorySearcher(rootEntry);
srch.SearchScope = SearchScope.Subtree;

srch.Filter = "(&(objectClass=user)(sAMAccountName=yourusername)(memberOf=CN=yourgroup,OU=yourOU,DC=yourcompany,DC=com))";

SearchResultCollection res = srch.FindAll();

if(res == null || res.Count <= 0) {
    Console.WriteLine("This user is *NOT* member of that group");
} else {
    Console.WriteLine("This user is INDEED a member of that group");
}

Word of caution: this will only test for immediate group memberships, and it will not test for membership in what is called the "primary group" (usually "cn=Users") in your domain. It does not handle nested memberships, e.g. User A is member of Group A which is member of Group B - that fact that User A is really a member of Group B as well doesn't get reflected here.

Marc

C# – LDAP: Enumerate Organizational Unit users

The path you gave for the Users OU is not a valid LDAP path. The LDAP path is constructed in the opposite direction compared to file system path or network path as you entered. your path may look as follows: ou=Users,ou=Financial Services,ou=Financial Site,ou=Contoso,ou=Clients,dc=MyCompany

The prefixes are really important (i.e. ou= or dc=) and the path I provided may be incorrect if any of the objects is of a different class.

I recommend that inside the loop of your original code sample, print the oResult.Path and copy-paste the desired path. This way there will be no errors in constructing the LDAP path.

LDAP query to enumerate of all users of the subgroups of a group

Best Answer

see also

Related Topic

Best Answer

see also

Related Solutions

How to write LDAP query to test if user is member of a group

C# – LDAP: Enumerate Organizational Unit users

Related Topic