1 Reply Latest reply: May 17, 2012 3:17 PM by 802907 RSS

    How do you test if a user is a member of a dynamic group using ldapsearch

    852043
      Hi,

      If I have a dynamic group defined like the following:

      dn: cn=TestDynGroup,ou=Groups,dc=example.com
      description: Dynamic Group containing all users in Test ou
      objectClass: groupOfUrls
      objectClass: top
      cn: TestDynGroup
      memberURL: ldap:///ou=People,dc=example.com??sub?(ou=Test)

      Is there any way to use the ldapsearch tool to see the group membership of this dynamic group (without just running the actual query to retrieve a list of the DNs)? Also, is there any way to use the ldapsearch tool to list the dynamic groups a user is a member of. I can use the isMemberOf attribute to see which static groups a user is a member of, but I cannot find any way to view which dynamic groups a user is a member of.

      Thanks,
      Matt
        • 1. Re: How do you test if a user is a member of a dynamic group using ldapsearch
          802907
          The memberurl is pretty much it. As far as I know, there really isn't much more to the object. If you already have a DN and you want to know whether it would be returned by a search defined by the memberurl, you can probably do some compare operations or just tack on the filter from the memberurl, like:

          ldapsearch -s base -b <UserDN> "MemberUrlFilter" dn

          and see if the DN comes back. Depending on the scope in the memberURL, you can also probably do something with entrydn to see if the base dn in the memberurl is superior to the userDN, like

          ldapsearch -s base -b <UserDN> "(&(MemberUrlFilter)(entrydn=*,MemberUrlBaseDN))"

          or just check that by eye. Bottom line, the simplest way is to just do the search defined in the memberURL and see if your DN comes back.