PingDirectory

Searching static groups

The following section provides a description of how to compose searches to determine if a user is a member of a static group, to determine all the static groups in which a user is a member, and to determine all the members of a static group.

Determining if a user is a static group member

Steps

  • To determine if a user is a member of a specified group, perform a base-level search to retrieve the group entry with an equality filter looking for the membership attribute of a value equal to the distinguished name (DN) of the specified user.

    For best performance, include a specific attribute list, using either cn, or a 1.1 request that no attributes be returned, so that the entire member list is not returned.

    Example:

    This table contains the search criteria to determine if the user uid=john.doe,ou=People,dc=example,dc=com is a member of the groupOfNames static group "cn=Test Group,ou=Groups,dc=example,dc=com".

    Base DN

    cn=Test Group,ou=Groups,dc=example,dc=com

    Scope

    base

    Filter

    (member=uid=john.doe,ou=People,dc=example,dc=com)

    Requested attributes

    1.1

    Example:

    $ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com"
      --searchScope base "(member=uid=john.doe,ou=People,dc=example,dc=com)" "1.1"

    Result:

    If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.

  • If you do not know if the membership attribute for the specified group is member or uniqueMember, then revise the filter to allow either attribute.

    Example:

    This example adjusts the filter from the previous step’s example to expand the membership attribute to allow for member and uniqueMember attributes.

    (|(member=uid=john.doe,ou=People,dc=example,dc=com)(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com))

Determining the static groups to which a user belongs

Steps

  • To determine the set of all static groups in which a user is specified as a member, perform a subtree search based at the top of the directory information tree (DIT).

    Configure the search filter to match any type of static group in which the specified user is a member.

    Example:

    The following table contains the search criteria to determine the set of all static groups in which the user uid=john.doc,ou=People,dc=example,dc=com is a member.

    Base DN

    dc=example,dc=com

    Scope

    sub

    Filter

    (|(&(objectClass=groupOfNames) (member=uid=john.doe,ou=People,dc=example,dc=com)) (&(objectClass=groupOfUniqueNames)(uniqueMem- ber=uid=john.doe,ou=People,dc=example,dc=com)) (&(objectClass=groupOfEntries) (member=uid=john.doe,ou=People,dc=example,dc=com)))

    Requested attributes

    1.1

    Example:

    $ bin/ldapsearch --baseDN "dc=example,dc=com" --searchScope sub \
      "(|(&(objectClass=groupOfNames)
      (member=uid=john.doe,ou=People,dc=example,dc=com)) \
      (&(objectClass=groupOfUniqueNames)\
      (uniqueMember=uid=john.doe,ou=People,dc=example,dc=com)) \
      (&(objectClass=groupOfEntries) \
      (member=uid=john.doe,ou=People,dc=example,dc=com)))" "1.1"

    Result:

    Entries returned from the search represent each static group in which the specified user is a member.

    A base level search of the user’s entry for isMemberOf or isDirectMemberOf virtual attributes gives the same results. You can also use the virtual attributes with virtual static groups.

Determining the members of a static group

Steps

  • To determine all of the members for a static group, retrieve the group entry, including the membership attribute.

    To retrieve attributes from member entries, search all users whose isMemberOf attribute contains the group DN, returning the attributes desired.

    To retrieve additional information about the members, such as attributes from member entries, issue a separate search for each member to retrieve the user entry and the desired attributes.

    Example:

    This table contains the search criteria to retrieve the list of all members for the group cn=Test Group,ou=Groups,dc=example,dc=com.

    Base DN

    cn=Test Group,ou=Groups,dc=example,dc=com

    Scope

    base

    Filter

    (objectClass=*)

    Requested attributes

    member uniqueMember

    Example:

    $ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com" \
      --searchScope base "(objectclass=*)" uniqueMember

    Result:

    The returned entry includes the DNs of all users that are members of that group.