Reading groups from LDAP
Michael Ströder
michael at stroeder.com
Wed Jun 18 11:15:12 CEST 2008
Melita Mihaljevic wrote:
> Hi,
> I'm wondering which is the generic way to search for groups in LDAP.
> I used: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE,
> '(ou=Group)')
The filter (ou=Group) does not make sense to me. You're probably mixing
this with the search root.
1. Bear in mind that there are many different types of group entries out
in the wild. LDAP entries are typed by object class. So your filter has
to specifically search for group entries by object class.
2. Additionally for determining whether a certain user is member of a
group you have to compare a certain member attribute within the group
entry with an attribute within the user's entry or the DN of the entry.
3. You should never ever (accidently) request the member attribute
within the group entry to be returned in the search results since some
groups can be big leading to a large amount of data to be returned.
The user entry:
dn: cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de
uid: michael
mail: michael at stroeder.com
Example of a filter generated by web2ldap (normally everything in one
line, broke up here for readability):
(|
(&(objectClass=organizationalRole)(roleOccupant=cn=michael
str\C3\B6der,ou=private,dc=stroeder,dc=de))
(&(objectClass=rfc822MailGroup)(mail=michael at stroeder.com))
(&(objectClass=groupOfUniqueNames)(uniqueMember=cn=michael
str\C3\B6der,ou=private,dc=stroeder,dc=de))
(&(objectClass=mailGroup)(mgrpRFC822MailMember=michael at stroeder.com))
(&(objectClass=posixGroup)(memberUid=michael))
(&(objectClass=nisMailAlias)(rfc822MailMember=michael at stroeder.com))
(&(objectClass=groupOfNames)(member=cn=michael
str\C3\B6der,ou=private,dc=stroeder,dc=de))
))
Ciao, Michael.
More information about the python-ldap
mailing list