Searching static groups
The following section provides a description of how to compose searches to determine if a user is a member of a static group, to determine all the static groups in which a user is a member, and to determine all the members of a static group.
Determining if a user is a static group member
Steps
-
To determine if a user is a member of a specified group, perform a base-level search to retrieve the group entry with an equality filter looking for the membership attribute of a value equal to the distinguished name (DN) of the specified user.
For best performance, include a specific attribute list, using either
cn, or a1.1request that no attributes be returned, so that the entire member list is not returned.Example:
This table contains the search criteria to determine if the user
uid=john.doe,ou=People,dc=example,dc=comis a member of thegroupOfNamesstatic group "cn=Test Group,ou=Groups,dc=example,dc=com".Base DN
cn=Test Group,ou=Groups,dc=example,dc=comScope
baseFilter
(member=uid=john.doe,ou=People,dc=example,dc=com)Requested attributes
1.1Example:
$ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com" --searchScope base "(member=uid=john.doe,ou=People,dc=example,dc=com)" "1.1"Result:
If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.
-
If you do not know if the membership attribute for the specified group is
memberoruniqueMember, then revise the filter to allow either attribute.Example:
This example adjusts the filter from the previous step’s example to expand the membership attribute to allow for
memberanduniqueMemberattributes.(|(member=uid=john.doe,ou=People,dc=example,dc=com)(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com))
Determining the static groups to which a user belongs
Steps
-
To determine the set of all static groups in which a user is specified as a member, perform a subtree search based at the top of the directory information tree (DIT).
Configure the search filter to match any type of static group in which the specified user is a member.
Example:
The following table contains the search criteria to determine the set of all static groups in which the user
uid=john.doc,ou=People,dc=example,dc=comis a member.Base DN
dc=example,dc=comScope
subFilter
(|(&(objectClass=groupOfNames) (member=uid=john.doe,ou=People,dc=example,dc=com)) (&(objectClass=groupOfUniqueNames)(uniqueMem- ber=uid=john.doe,ou=People,dc=example,dc=com)) (&(objectClass=groupOfEntries) (member=uid=john.doe,ou=People,dc=example,dc=com)))Requested attributes
1.1Example:
$ bin/ldapsearch --baseDN "dc=example,dc=com" --searchScope sub \ "(|(&(objectClass=groupOfNames) (member=uid=john.doe,ou=People,dc=example,dc=com)) \ (&(objectClass=groupOfUniqueNames)\ (uniqueMember=uid=john.doe,ou=People,dc=example,dc=com)) \ (&(objectClass=groupOfEntries) \ (member=uid=john.doe,ou=People,dc=example,dc=com)))" "1.1"Result:
Entries returned from the search represent each static group in which the specified user is a member.
A base level search of the user’s entry for
isMemberOforisDirectMemberOfvirtual attributes gives the same results. You can also use the virtual attributes with virtual static groups.
Determining the members of a static group
Steps
-
To determine all of the members for a static group, retrieve the group entry, including the membership attribute.
To retrieve attributes from member entries, search all users whose
isMemberOfattribute contains the group DN, returning the attributes desired.To retrieve additional information about the members, such as attributes from member entries, issue a separate search for each member to retrieve the user entry and the desired attributes.
Example:
This table contains the search criteria to retrieve the list of all members for the group
cn=Test Group,ou=Groups,dc=example,dc=com.Base DN
cn=Test Group,ou=Groups,dc=example,dc=comScope
baseFilter
(objectClass=*)Requested attributes
member uniqueMemberExample:
$ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com" \ --searchScope base "(objectclass=*)" uniqueMemberResult:
The returned entry includes the DNs of all users that are members of that group.