-
To determine whether a user is a member of a specific dynamic group, run a
base-level search to verify that the user's entry is both within the scope of the
member URL and that it matches the filter contained in that URL.
Tip:
You can verify that a user's entry is within the scope of the URL using simple client-side only processing. Evaluating the filter against the entry on the client side is more complicated. While possible, especially in clients able to perform schema-aware evaluation, a simple alternative is to perform a base-level search to retrieve the user's entry with the filter contained in the member URL.
This table contains the search criteria to determine if the user uid=john.doe,ou=People,dc=example,dc=com is a member of the dynamic group with the desired member URL.
Base DN
uid=john.doe,ou=People,dc=example,dc=com
Scope
base
Filter
(ou=Engineering)
Requested Attributes
1.1
$ bin/ldapsearch --baseDN "uid=john.doe,ou=People,dc=example,dc=com" \ --searchScope base "(ou=Engineering)" "1.1"
Note:The search requires the user DN to be under the search base defined in the
memberurl
attribute for the user to be a member.If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.