0

I use sAMAccountName to search for a user, after retrieving the user I get the user "memberof" list. I want to fetch all the member of the "memberof" from the user. is it possible to do it in one search?

Nevo.

OK Here is what I got so far:

$ds = ldap_connect('145.20.0.10', 389);
$bind = 1;
$bind = ldap_bind($ds, "aa", "aa");
if( $bind ){
      $dn = "OU=all users,DC=mycustomdc,DC=co,DC=il";
      $search = ldap_search($ds, $dn, "(samaccountname=asd)", ['memberOf', 'company','department']);
      $enr = ldap_get_entries($ds, $search);
}

this give me the memberof, of the member, but I need to get the members of the memberof

Improve this question
1
  • Please provide us some code where you stuck at or what you have tried. This make it a lot easier for you to get right answers :) Commented Apr 11, 2016 at 13:36

1 Answer 1

Reset to default
1

If I understand you correctly, you are starting with one user account and you want to:

  1. Get all the groups that user is a member of (by getting the value of 'memberOf')
  2. Find the members of each group found in step 1.

There are two ways you can do this:

  1. Iterate through all the groups and make a separate call to get the 'member' attribute, which will have the list of members.
  2. Construct a query based on 'memberOf' to find all other people who are members of the same groups:

(&(objectClass=user)(|(memberOf=CN=group1,OU=something,DC=mydomain,DC=com)(memberOf=CN=group2,OU=something,DC=mydomain,DC=com)(memberOf=CN=group3,OU=something,DC=mydomain,DC=com)))

It is possible to get different results based on which method you use.

Method 1 will get you any members of the groups, even if they're on other domains outside the domain or forest (for example, domains with one-way trusts).

With method 2 (searching memberOf) your results will be different if you search using LDAP:// (port 389) or GC:// (port 3268). Using GC:// will not work for global or domain local groups, whereas using LDAP:// will. However, if you use LDAP:// you will only get users from one domain, which might be a problem if you have other domains in your AD forest.

If you only have 1 domain in your organization with no trusts to other domains, then you are better off using LDAP://.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I found out that I can do something like that (&(samaccountname=messagetestuser)(|(memberof:1.2.840.113556.1.4.1941:=CN=MessageUsers,OU=Groups,DC=super-pharm,DC=co,DC=il)(memberof:1.2.840.113556.1.4.1941:=CN=MessageManager,OU=Groups,DC=super-pharm,DC=co,DC=il)(memberof:1.2.840.113556.1.4.1941:=CN=MessageOffice,OU=Groups,DC=super-pharm,DC=co,DC=il))) The only problem is that I can't know afterwards which memberof belong to the one up here ^

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.