PingDirectory

Determining if a user is a dynamic group member

Steps

  • To determine whether a user is a member of a specific dynamic group, run a base-level search to verify that the user’s entry is both within the scope of the member URL and that it matches the filter contained in that URL.

    You can verify that a user’s entry is within the scope of the URL using simple client-side only processing. Evaluating the filter against the entry on the client side is more complicated. While possible, especially in clients able to perform schema-aware evaluation, a simple alternative is to perform a base-level search to retrieve the user’s entry with the filter contained in the member URL.

    Example:

    This table contains the search criteria to determine if the user uid=john.doe,ou=People,dc=example,dc=com is a member of the dynamic group with the desired member URL.

    Base DN

    uid=john.doe,ou=People,dc=example,dc=com

    Scope

    base

    Filter

    (ou=Engineering)

    Requested Attributes

    1.1

    Example:

    $ bin/ldapsearch --baseDN "uid=john.doe,ou=People,dc=example,dc=com" \
  --searchScope base "(ou=Engineering)" "1.1"

    The search requires the user DN to be under the search base defined in the memberurl attribute for the user to be a member.

    Result:

    If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.