You can verify that a user's entry is within the scope of the URL using simple client-side only processing. Evaluating the filter against the entry on the client side is more complicated. While possible, especially in clients able to perform schema-aware evaluation, a simple alternative is to perform a base-level search to retrieve the user's entry with the filter contained in the member URL.
This table contains the search criteria to determine if the user uid=john.doe,ou=People,dc=example,dc=com is a member of the dynamic group with the desired member URL.
|
Base DN |
|
|
Scope |
|
|
Filter |
|
|
Requested Attributes |
|
$ bin/ldapsearch --baseDN "uid=john.doe,ou=People,dc=example,dc=com" \
--searchScope base "(ou=Engineering)" "1.1"The search requires the user DN to be under the search base defined in the
memberurl attribute for the user to be a member.
If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.