• To determine if a user is a member of a specified group, perform a base-level search to retrieve the group entry with an equality filter looking for the membership attribute of a value equal to the distinguished name (DN) of the specified user.
    Note:

    For best performance, include a specific attribute list, using either cn, or a 1.1 request that no attributes be returned, so that the entire member list is not returned.

    This table contains the search criteria to determine if the user uid=john.doe,ou=People,dc=example,dc=com is a member of the groupOfNames static group "cn=Test Group,ou=Groups,dc=example,dc=com".

    Base DN

    cn=Test Group,ou=Groups,dc=example,dc=com

    Scope

    base

    Filter

    (member=uid=john.doe,ou=People,dc=example,dc=com)

    Requested attributes

    1.1

    $ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com" 
      --searchScope base "(member=uid=john.doe,ou=People,dc=example,dc=com)" "1.1"

    If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.

  • If you do not know if the membership attribute for the specified group is member or uniqueMember, then revise the filter to allow either attribute.

    This example adjusts the filter from the previous step’s example to expand the membership attribute to allow for member and uniqueMember attributes.

    (|(member=uid=john.doe,ou=People,dc=example,dc=com)(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com))