PingDirectory

Determining if a user is a static group member

Steps

  • To determine if a user is a member of a specified group, perform a base-level search to retrieve the group entry with an equality filter looking for the membership attribute of a value equal to the distinguished name (DN) of the specified user.

    For best performance, include a specific attribute list, using either cn, or a 1.1 request that no attributes be returned, so that the entire member list is not returned.

    Example:

    This table contains the search criteria to determine if the user uid=john.doe,ou=People,dc=example,dc=com is a member of the groupOfNames static group "cn=Test Group,ou=Groups,dc=example,dc=com".

    Base DN

    cn=Test Group,ou=Groups,dc=example,dc=com

    Scope

    base

    Filter

    (member=uid=john.doe,ou=People,dc=example,dc=com)

    Requested attributes

    1.1

    Example:

    $ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com"
      --searchScope base "(member=uid=john.doe,ou=People,dc=example,dc=com)" "1.1"

    Result:

    If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.

  • If you do not know if the membership attribute for the specified group is member or uniqueMember, then revise the filter to allow either attribute.

    Example:

    This example adjusts the filter from the previous step’s example to expand the membership attribute to allow for member and uniqueMember attributes.

    (|(member=uid=john.doe,ou=People,dc=example,dc=com)(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com))