Determining if a user is a static group member
Steps
-
To determine if a user is a member of a specified group, perform a base-level search to retrieve the group entry with an equality filter looking for the membership attribute of a value equal to the distinguished name (DN) of the specified user.
For best performance, include a specific attribute list, using either
cn
, or a1.1
request that no attributes be returned, so that the entire member list is not returned.Example:
This table contains the search criteria to determine if the user
uid=john.doe,ou=People,dc=example,dc=com
is a member of thegroupOfNames
static group "cn=Test Group,ou=Groups,dc=example,dc=com
".Base DN
cn=Test Group,ou=Groups,dc=example,dc=com
Scope
base
Filter
(member=uid=john.doe,ou=People,dc=example,dc=com)
Requested attributes
1.1
Example:
$ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com" --searchScope base "(member=uid=john.doe,ou=People,dc=example,dc=com)" "1.1"
Result:
If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.
-
If you do not know if the membership attribute for the specified group is
member
oruniqueMember
, then revise the filter to allow either attribute.Example:
This example adjusts the filter from the previous step’s example to expand the membership attribute to allow for
member
anduniqueMember
attributes.(|(member=uid=john.doe,ou=People,dc=example,dc=com)(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com))