Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is User MemberOf a group? But with a twist... 1

Status
Not open for further replies.
bpsmicro

bpsmicro

Programmer
Sep 11, 2006
5
CA
I'm well aware of using the 'memberOf' attribute for a user to determine what groups the user is *directly* a member of. But I want to consider "parents" of groups as well.

Consider the following. I have user "Fred", who is a member of "GroupB". So Fred's 'memberOf' will include GroupB and all is well so far.

Now, we have "GroupA", and one of *its* members is GroupB. So technically, Fred is a member of GroupA as well, just indirectly.

I'm coming at this from the angle that I have Fred's directory entry, and I have GroupA's directory entry. I want to know "Is Fred a member, directly or indirectly, of GroupA?".

Is there an easy way to get this? I know I can get Fred's 'memberOf', parse that for all groups, and then for each group call its 'memberOf' and keep recursing backwards until I finally exhaust *all* parents, but that seems a tad inefficient. I'm hoping there's a magic query construct that'll get me what I want.

Ideas?

Brad.
 
Sort by date Sort by votes
[0] This is much simplified after the support of the newly introduced search matching rule (LDAP_MATCHING_RULE_IN_CHAIN) from w2k3svr up. It is now documented in the up-to-date documentation.

The use of it in this particular query is this.
[1] search base: restricted to the user's object, such as this figuratively.
[tt] <LDAP://cn=Fred,ou=someou,dc=contoso,dc=com>[/tt]
[2] filter: set the memberOf attribute to match the target group (groupA) directly or indirectly (nested). Like this, with the assumption of the dn of groupA figuratively.
[tt] (member:1.2.840.113556.1.4.1941:=cn=groupA,ou=somegroupou,dc=contoso,dc=com)[/tt]
[3] attributes (to return): whatever one likes.
[4] scope: "base" would be sufficient; "subtree" can do but not necessary as user object is used as search base and it is not a container.

[5] Once the search is executed, it is sufficient to check is the result recordset is at eof or not (containing any record). If it is not empty, that means the base user object is a memebr of groupA.
 
Upvote 0 Downvote
Amendment
[2'] I meant memberOf.
[tt] (member[red]Of[/red]:1.2.840.113556.1.4.1941:=cn=groupA,ou=somegroupou,dc=contoso,dc=com)[/tt]
 
Upvote 0 Downvote
Hmm, that's really interesting. An approach I hadn't considered at all. I'm going to play with that and see if the performance is better than the recursive code I already have in place.

Many thanks;
Brad.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zebad
  • Locked
  • Question
TFTP interference from another host (Windows Server , VxWorks Client)
Replies
0
Views
602
Zebad
Zebad
robocat
  • Locked
  • Question
Yet another TCP RST flag problem
Replies
0
Views
534
robocat
robocat
jmarkus
  • Locked
  • Question
Can I have a different private IP address which isn't on my router's subnet?
Replies
6
Views
628
sbcsu
sbcsu
Vedant Gonnade
  • Locked
  • Question
How to send a string (generated by camera) to computer
Replies
0
Views
502
Vedant Gonnade
Vedant Gonnade
Vitor Fernandes-Neto
  • Locked
  • Question
Ldap authentication in classic asp, retrieving givenname, displayname etc
Replies
0
Views
637
Vitor Fernandes-Neto
Vitor Fernandes-Neto

Part and Inventory Search

Sponsor

Back
Top