Cannot query ldap/AD for group members
Using ActiveDirectory and ldap3 from Python, I am trying to retrieve a list of group members. Realizing that this is a common question, I tried many of the solutions posted here and on Google.
Here's my situation:
Directory setup:
Using ldap3, this code correctly return a list of users:
server = Server('ricktestad2.mydomain.org')
conn = Connection(server, 'Admin', 'xxxxxx', client_strategy=SAFE_SYNC, auto_bind=True)
obj_person = ObjectDef(['person', 'organizationalPerson', 'user'] , conn)
r = Reader(conn, obj_person, 'OU=Users,OU=ricktestad2,DC=ricktestad2,DC=mydomain,DC=org')
r.search()
Using this code to retrieve the members of group 'rds.eval.mda.admin' returns 0 entries:
cn2='OU=Users,OU=ricktestad2,DC=ricktestad2,DC=mydomain,DC=org'
conn2 = Connection(server, 'Admin', 'xxxxxx', client_strategy=SAFE_SYNC, auto_bind=True)
conn2.search(
search_base=cn2,
search_filter='(&(objectCategory=group)(CN=rds.eval.mda.admin))',
search_scope='SUBTREE',
attributes = ['member'])
I've tried countless permutations of the cn and filter with no success.
Any suggestions?
Solution 1:memberOf (in AD) is stored as a list of distinguishedNames. Your filter needs to be something like:
(&(objectCategory=user)(memberOf=cn=MyCustomGroup,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com))
If you don't yet have the distinguished name, you can search for it with:
(&(objectCategory=group)(cn=myCustomGroup))
Solution 2:
For Active Directory users, an alternative way to do this would be -- assuming all your groups are stored in OU=Groups,DC=CorpDir,DC=QA,DC=CorpName -- to use the query (&(objectCategory=group)(CN=GroupCN)). This will work well for all groups with less than 1500 members. If you want to list all members of a large AD group, the same query will work, but you'll have to use ranged retrieval to fetch all the members, 1500 records at a time.
For more reference check these link1 and link2
Solution 3:Example using a modern ldapsearch command line tool:
ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
--sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
--bindPasswordFile ~/.pwdFile \
'(isMemberOf=cn=persons,ou=groups,dc=example,dc=com)' 1.1
dn: uid=terrygardner,ou=people,dc=example,dc=com
dn: uid=user.0,ou=people,dc=example,dc=com
dn: uid=user.1,ou=People,dc=example,dc=com
dn: uid=user.10,ou=People,dc=example,dc=com
This search response indicates that there are several member of the group whose distinguished name is cn=persons,ou=groups,dc=example,dc=com.
- "é" become "ã©" while using ldap_modify_batch() in php
- Why creating new user and roaming profile creation will result error logging in?
- Having trouble making UserPrincipalName all lowercase in Powershell
- How to Compare Sets of Users
- How to keep the shell window open after running a PowerShell script?
- ExemptFileTypeDownloadWarnings correct registry syntax for intranet URLs
- How do I modify a Boolean LDAP Active Directory attribute using Net::LDAP?
- Get-ACL of Deleted Objects Container
- What is the maximum length of a SID in SDDL format
- IIS "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" SQL connection error, but only for 1 user
- Windows Property Pages: Domain Path Not Shown on Security Tab
- Azure Entra ID tokens endpoint issues an expired token
- NativeObject try-catch does not catch a timed out error
- Getting "The server could not be contacted." when trying to access active directory
- Can't figure out how to delete a specific computer from AD using power shell. Can't find any solution anywhere
- Powershell - Create new user accounts from CSV & simultaneously populate these new accounts with template account info (Address & group membership)
- Unknown Error (0x80005000) with LDAPS Connection
- How to handle DC replication delay when enabling users and setting properties?
- Using application pool identity results in exceptions and event logs
- CORS issue using Angular application calling a .NET Core API using Sustainsys.Saml2 library and Azure Active Directory as Identity Provicer
- Is it possible to customize authentication flow in Azure?
- A few groups in my ad are not found by the following script
- System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred
- Cannot add user to Active Directory due to a "There is no such object on the server" error
- Connect to Active Directory using LdapConnection class on remote server
- Why is DirectorySearcher so slow when compared to PrincipalSearcher?
- How to search for users in Active Directory from ASP.NET Core
- How to supply the password as an argument in realm join to active directory command
- LDAP attribute to encode the language of human users mother tongue?
- How to remove multiple entries by a single ldap request in unboundid?