Home Forums OS X Server and Client Discussion Open Directory ldap search for members of a group

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • October 26, 2009 at 1:27 pm #377404
    gw1500se
    Participant

    I am trying to write a search to return all members of a specific group. However, the filter I am using, only returns the group information, not the member of that group. Can someone help me with the correct format? TIA.

    ldapsearch -x -LLL -b “dc=myhost,dc=mydomain,dc=com” cn=rds

    I also tried:

    ldapsearch -x -LLL -b “dc=myhost,dc=mydomain,dc=com” memberOf=cn=rds

    which returned nothing.

    October 28, 2009 at 9:05 pm #377423
    Maurits
    Participant

    If your LDAP server is a Mac OD server, this will work:
    [code]ldapsearch -x -LLL -H ldap://host.domain.com -b “dc=host,dc=domain,dc=com” objectClass=apple-group memberUid apple-group-memberguid[/code]
    The last one (apple-group-memberguid) is to make sure you get nested groups as well (the GUID’s in the example below refer to the users that are also listed in memberUid, if there is an adiitonal GUID, it will be a group) On the Mac server you can find this better with dsmemberutil (see man page). If you are using only ldapsearch you need to do it in two steps.
    in my server this returns groups formatted like this:
    [code]dn: cn=leominigroup,cn=groups,dc=host,dc=domain,dc=com
    apple-group-memberguid: BB2792F2-1F75-43F7-90A8-69EB19937277
    apple-group-memberguid: 95167831-E803-4E4F-A728-AF3039A5FF47
    apple-group-memberguid: 30AAC8D1-E29A-479A-A60B-5E845345EE62
    memberUid: arie
    memberUid: ben
    memberUid: caro[/code]
    for all details: use
    [code]ldapsearch -x -LLL -H ldap://host.domain.com -b “dc=host,dc=domain,dc=com” objectClass=apple-group[/code]
    and see all group information.

    November 9, 2009 at 3:33 pm #377473
    gw1500se
    Participant

    Thanks for the reply. I’m afraid I’m not having much luck with your suggestion. First I need to state that at this time I am running 10.4.11 server, if that matters. I suspect that may be why I can’t find ‘dsmembersutil’. Second, your reply probably attributes more LDAP knowledge to me that I really have.

    You mentioned 2 steps but I don’t understand that. Your suggestion seems to get all the groups and members rather than a specific group’s members. If an additional filter is not possible I guess I can deal with that using a brute force method with the result I do get. However, using your suggestion, there are a few groups that return no members even though they do have them. Unfortunately, one such group happens to be the group I really need (Murphy’s Law). Perhaps that is the crux of my original problem.

    I suppose the first question is, why do some groups falsely appear to have no members? How do I fix that?

    Thanks again.

    November 17, 2009 at 5:42 pm #377545
    gw1500se
    Participant

    After considerable testing, hair pulling and teeth gnashing, I have more information on this but it is creating an even greater puzzle. It seems that this issue is related to users being members of multiple groups. The reason I am not getting any members for this group is because all its members have this group as their primary. Apparently the query I am using, only returns the members of a group that do NOT have that group as their primary. Logically this makes no sense to me but that is how it seems to work.

    Therefore, the question becomes, how do I structure a query to return all members of a group, including those that have the group as its primary.

    Thanks.

    November 23, 2009 at 2:42 pm #377561
    kimmie
    Participant

    I’m not on a mac so i think that’s why the code didn’t work for me.

    Regards,
    Kimmie
    [url=http://www.ordinateurportablepascher.org]Ordinateur portable pas cher[/url]

    December 13, 2009 at 6:54 am #377658
    rstasel
    Participant

    You can do this in dscl…

    Assuming it was run on the OD server…

    dscl /LDAPv3/127.0.0.1 -list /Users PrimaryGroupID | grep 20 | cut -d’ ‘ -f1

    This would return all the uid’s that have group 20 (staff) as their primary group. Combine that with something that looks at the group itself for members, and you could construct a complete list. =/

    Should be able to do something similar with ldapsearch, but I’m too used to using dscl.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.