To determine whether a user is a member of a specified group, perform a base-level search to retrieve the group entry with an equality filter looking for the membership attribute of a value equal to the DN of the specified user.

For best performance, you will want to include a specific attribute list (just "cn", or "1.1" request that no attributes be returned) so that the entire member list is not returned. For example, to determine whether the user "uid=john.doe,ou=People,dc=example,dc=com" is a member of the groupOfNames static group "cn=Test Group,ou=Groups,dc=example,dc=com", issue a search with the following criteria:
Base DN cn=Test Group,ou=Groups,dc=example,dc=com
Scope base
Filter (member=uid=john.doe,ou=People,dc=example,dc=com)
Requested Attributes 1.1
If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group. If you do not know the membership attribute for the specified group (it could be either a member or uniqueMember attribute), then you may want to revise the filter so that it allows either one as follows:
(|(member=uid=john.doe,ou=People,dc=example,dc=com)(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com))
  • Run a base-level search to retrieve the group entry with an equality filter looking for the membership attribute.
    $ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com" 
      --searchScope base "(member=uid=john.doe,ou=People,dc=example,dc=com)" "1.1"