Searching dynamic groups
The following sections describe how to compose searches to determine if a user is a member of a dynamic group, to determine all the dynamic groups in which a user is a member, and to determine all the members of a dynamic group.
Determining if a user is a dynamic group member
Steps
-
To determine whether a user is a member of a specific dynamic group, run a base-level search to verify that the user’s entry is both within the scope of the member URL and that it matches the filter contained in that URL.
You can verify that a user’s entry is within the scope of the URL using simple client-side only processing. Evaluating the filter against the entry on the client side is more complicated. While possible, especially in clients able to perform schema-aware evaluation, a simple alternative is to perform a base-level search to retrieve the user’s entry with the filter contained in the member URL.
Example:
This table contains the search criteria to determine if the user
uid=john.doe,ou=People,dc=example,dc=com
is a member of the dynamic group with the desired member URL.Base DN
uid=john.doe,ou=People,dc=example,dc=com
Scope
base
Filter
(ou=Engineering)
Requested Attributes
1.1
Example:
$ bin/ldapsearch --baseDN "uid=john.doe,ou=People,dc=example,dc=com" \ --searchScope base "(ou=Engineering)" "1.1"
The search requires the user DN to be under the search base defined in the
memberurl
attribute for the user to be a member.Result:
If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.
Determining the dynamic groups to which a user belongs
Steps
-
To determine the set of all dynamic groups in which a user is a member, perform a search to find all dynamic group entries defined in the server using a subtree search with a filter of
(objectClass=groupOfURLs)
.You should retrieve the
memberURL
attribute so that you can use the logic described in the previous section to determine whether the specified user is a member of each of those groups.Example:
The following table contains the search criteria to determine the set of all dynamic groups defined in the
dc=example,dc=com
tree.Base DN
dc=example,dc=com
Scope
sub
Filter
(objectClass=groupOfURLs)
Requested Attributes
memberURL
Example:
$ bin/ldapsearch --baseDN "dc=example,dc=com" \ --searchScope sub "(objectClass=groupOfURLs)" "memberURL"
Result:
Each entry returned is a dynamic group definition. You can use the base, scope, and filter of its
memberURL
attribute to determine whether the user is a member of that dynamic group.
Determining the members of a dynamic group
Steps
-
To determine all members of a dynamic group, issue a search using the base, scope, and filter of the member URL.
The set of requested attributes should reflect the attributes desired from the member user entries or "1.1" if no attributes are needed.
Example:
This table contains the search criteria to retrieve the list of all members of the group
dc=example,dc=com
with thecn
andmail
attributes.Base DN
dc=example,dc=com
Scope
sub
Filter
(employeeType=contractor)
Requested Attributes
cn, mail
Example:
This search might be extensive if the associated filter is not indexed or if the group contains a large number of members.
$ bin/ldapsearch --baseDN "dc=example,dc=com" \ --searchScope sub "(employeeType=contractor)" "cn, mail"