How to search in LDAP for group users?

Question

We have a group: "MyTest" in

OU=Domain_users,DС=my,DС=test

We try to find users in this group, trying:

(&(|(sAMAccountName=*$str*)(givenName=*$str*)(sn=*$str*)(middlename=*$str*))(memberOf=CN=MyTest))

and:

(memberOf=CN=MyTest,OU=Domain_users,DС=my,DС=test)

But it doesn't work. When we use filter by user name it works.

Answer 1

In your filter,

(memberOf=CN=MyTest)

will ensure that no results are returned. The attribute memberOf is a DN which is always the complete value

CN=MyTest,OU=Domain_users,DС=my,DС=test

If you are unable to find anything using the complete DN above, then just print the complete filter (to console or log) to make sure that you have a valid LDAP filter.

EDIT

Come to think of it, you cannot search on containment on all attributes in LDAP. Especially not sAMAccountName AFAIK.

Try this first:

(&
    (|
        (sAMAccountName=$str*)
        (givenName=$str*)
        (sn=$str*)
        (middlename=$str*)
    )
    (memberOf=CN=MyTest,OU=Domain_users,DС=my,DС=test)
)

And if that works, you may try to search for the attributes using a duplicate OR:

(|(sAMAccountName=*$str)(sAMAccountName=$str*))

Note the location of the wildcard.

EDIT 2

I took a cup of coffee and read your question again. In Active Directory, group membership is maintained on the group only, not on the user. So you cannot search on memberOf but you have to execute 2 calls: one to find the user and one to check the group membership using (member=<user dn>).

Answer 2

Try something like:

(&(objectClass=user)(sAMAccountName=$str*)(memberof:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET) 

Be Aware that "$str" appears to be a substitution value which may not be properly implemented in a LDAP Query.

There are some links that may help:

• https://ldapwiki.com/wiki/Wiki.jsp?page=LDAP%20Query%20Basic%20Examples
• https://ldapwiki.com/wiki/Wiki.jsp?page=Active%20Directory%20Group%20Related%20Searches