Php – How to find all the LDAP groups that a user is part of, when groupOfUniqueNames is used to define groups

ldapPHP

When I connect to the LDAP server and retrieve the user, I get the correct user record, but I don't see any memberOf, isMemberOf or any other similar attribute that tells me what groups they are in:

$query = "(&(uid={$username})(objectClass=person))";
$result = ldap_search($ldapconnection, $context, $query);
$user = ldap_get_entries($ldapconnection, $result);

However, If I retrieve the LDAP group, then I can see a list of users that includes all the right ones:

$query = "(&({cn=".$groupname.")(objectClass=groupOfUniqueNames))";
$result = ldap_search($ldapconnection, $context, $query);
$group = ldap_get_entries($ldapconnection, $result); // Users in array attribute

The groups are dynamic groupOfUniqueNames ones, and each user is a uniqueMember of the group.

Am I missing something, or is the server not configured to show memberOf (MS AD)? Is there any way to get the memberships for a particular user without looping over every single group there is?

Best Answer

I'm not sure why you're not getting the memberOf attribute back from your queries, but you should be able to retrieve a user's group membership with something like this:

$query = "(&(objectClass=groupOfUniqueNames)(uniqueMember=" . $username . "))";

It looks like uniqueMember is not indexed by default (http://msdn.microsoft.com/en-us/library/windows/desktop/ms680520(v=vs.85).aspx), so if you have access to do so, and run into performance issues, it might be worth indexing it.

Related Solutions

How to write LDAP query to test if user is member of a group

You should be able to create a query with this filter here:

(&(objectClass=user)(sAMAccountName=yourUserName)
  (memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))

and when you run that against your LDAP server, if you get a result, your user "yourUserName" is indeed a member of the group "CN=YourGroup,OU=Users,DC=YourDomain,DC=com

Try and see if this works!

If you use C# / VB.Net and System.DirectoryServices, this snippet should do the trick:

DirectoryEntry rootEntry = new DirectoryEntry("LDAP://dc=yourcompany,dc=com");

DirectorySearcher srch = new DirectorySearcher(rootEntry);
srch.SearchScope = SearchScope.Subtree;

srch.Filter = "(&(objectClass=user)(sAMAccountName=yourusername)(memberOf=CN=yourgroup,OU=yourOU,DC=yourcompany,DC=com))";

SearchResultCollection res = srch.FindAll();

if(res == null || res.Count <= 0) {
    Console.WriteLine("This user is *NOT* member of that group");
} else {
    Console.WriteLine("This user is INDEED a member of that group");
}

Word of caution: this will only test for immediate group memberships, and it will not test for membership in what is called the "primary group" (usually "cn=Users") in your domain. It does not handle nested memberships, e.g. User A is member of Group A which is member of Group B - that fact that User A is really a member of Group B as well doesn't get reflected here.

Marc

Java – JNDI Obtain the size of a LDAP search without retrieving all the data

The only way I found to do this was to make a query for an empty attribute array, then loop and increment a counter.

Best Answer

Related Solutions

How to write LDAP query to test if user is member of a group

Java – JNDI Obtain the size of a LDAP search without retrieving all the data

Related Topic