• To determine whether a user is a member of a specific dynamic group, run a base-level search to verify that the user's entry is both within the scope of the member URL and that it matches the filter contained in that URL.
    Tip:

    You can verify that a user's entry is within the scope of the URL using simple client-side only processing. Evaluating the filter against the entry on the client side is more complicated. While possible, especially in clients able to perform schema-aware evaluation, a simple alternative is to perform a base-level search to retrieve the user's entry with the filter contained in the member URL.

    This table contains the search criteria to determine if the user uid=john.doe,ou=People,dc=example,dc=com is a member of the dynamic group with the desired member URL.

    Base DN

    uid=john.doe,ou=People,dc=example,dc=com

    Scope

    base

    Filter

    (ou=Engineering)

    Requested Attributes

    1.1

    		 
    $ bin/ldapsearch --baseDN "uid=john.doe,ou=People,dc=example,dc=com" \
  --searchScope base "(ou=Engineering)" "1.1"
    Note:

    The search requires the user DN to be under the search base defined in the memberurl attribute for the user to be a member.

    If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.