LDAP query help

**JForce** · August 2 2012, 05:52:59 AM

Need help with an LDAP query.

Scenario is a system will query at login to see if a user is a member of various groups that match an internal config to give various access rights.

So, am trying to get a query that will return all the groups a specified user is a member of, within a specified OU. The OU has 100 or so groups, but each user should only be a member of a few.

Will the following query work?

(&(objectcategory=group)(member=cn=XXX,ou=groups,o u=stores,ou=something else,ou=businessunits,dc=XXX,dc=net))

Don't have access to test/run it to see what it would return unfortunately :/

**Liare** · August 2 2012, 08:40:57 AM

do yourself a favor and capitalize the object type.

also, this part looks strange. "member=cn=XXX" is member a variable you are stuffing something into ?
your query is wrong anyway, since LDAP does not have support for spaces, depending on what specific LDAP implementation you are talking to it may or may not support it with "" around it, but that is entirely dependent on the implementation itself, see below for the "correct" syntax that at least most of Microsoft's products will accept.

CN=xxx,OU=groups,OU=stores,OU="something else",OU=BuisnessUnits,DC=xxx,DC=net

a virtualized DC takes 30 minutes to configure, you should have access to MSDN licences if you do any serious work on Microsoft products, do yourself a favor and set one up, its incredibly useful.

**Lana Torrin** · August 2 2012, 09:07:07 AM

Just posting to say I have to look up LDAP queries every fucking time I have to use them.. I can never remember how to do them.. Google however, is awesome at shit like this.

**Daneel Trevize** · August 2 2012, 10:00:55 AM

FWIW this forum has a shit bug/feature with long unbroken strings. The space in "...groups,o u=stores..." probably isn't really there in the query.

**Liare** · August 2 2012, 10:27:49 AM

Originally Posted by Lana Torrin

Just posting to say I have to look up LDAP queries every fucking time I have to use them.. I can never remember how to do them.. Google however, is awesome at shit like this.

LDAP is pretty shit in the first place to be honest.

what's amazing is that nobody has done anything that's even marginally better, there's gotta be a better way to represent information than a digitalized telephone book.

**IceBlock** · August 2 2012, 11:24:54 AM

What are you using? Any scripting or programming language or ADUC?

**Hel OWeen** · August 2 2012, 01:14:14 PM

Originally Posted by Daneel Trevize

FWIW this forum has a shit bug/feature with long unbroken strings. The space in "...groups,o u=stores..." probably isn't really there in the query.

... which can be circumvented using [ code ] tags:

Code:

Pellentesquepulvinarloremacfelisimperdietindapibusduiinterdum.Curabiturlaoreetnislinnullaornaresollicitudin.Duisfringillacommodometus,quislaciniaodioconsequatquis!Nunceuismod,lectusetviverratincidunt,tellusfelisbibendumelit,eulobortisnislarcuegetdui.Duistellusdui,bibendum

**Daneel Trevize** · August 2 2012, 03:13:48 PM

Originally Posted by Liare

LDAP is pretty shit in the first place to be honest.

what's amazing is that nobody has done anything that's even marginally better, there's gotta be a better way to represent information than a digitalized telephone book.

Yeah, real shame databases (e.g. SQL-based ones) don't exist.

**Liare** · August 2 2012, 03:48:50 PM

Originally Posted by Daneel Trevize

Originally Posted by Liare

LDAP is pretty shit in the first place to be honest.

what's amazing is that nobody has done anything that's even marginally better, there's gotta be a better way to represent information than a digitalized telephone book.

Yeah, real shame databases (e.g. SQL-based ones) don't exist.

ironically a structured database is not really the answer to everything either.

LDAP assumes everything can be broken down into containers and stuffed together like that, a structured database (say a SQL one) assumes everything can be broken down into tables and interconnected like that.

neither really provides the best solution for the problem, the reason LDAP is so hilariously popular is because it's so fucking vague that you can build a inventory management system on it.

**Hel OWeen** · August 2 2012, 04:40:47 PM

Originally Posted by Daneel Trevize

Yeah, real shame databases (e.g. SQL-based ones) don't exist.

But you can use ADO to "speak in" SQL to LDAP, see for example http://www.rlmueller.net/SQLSyntax.htm

**JForce** · August 3 2012, 05:33:10 AM

Thanks for the responses. Yes, there's no spaces in the actual query.

There's no language as such, it's a direct LDAP query that this external system uses, so it's not a scripted thing (unfortunately).

I think we're going to end up with a query that returns ALL groups a user is a member of, but unfortunately our AD structure has users segmented by departments, and I don't think I can just query the top level and have it locate the user in the sub-ou structure - meaning I have to run a different query for each possible OU the user's account is in.

**IceBlock** · August 3 2012, 08:29:46 AM

Direct LDAP query is a complete brainfuck and a messed up term that brings up a shitload of other irrelevant shit when searching for it. :\

**Liare** · August 3 2012, 04:38:59 PM

LDAP is like PBX's, it makes perfect sense if you have worked with it the last 40 years, otherwise you are fucked.

honestly, the only way to get it working is to experiment with it, unless you know the brainfuck nature of the syntax by heart.

Thread: LDAP query help

Thread Tools

Search Thread

LDAP query help

Bookmarks

Bookmarks

Posting Permissions