[python-ldap] base and filterstr combination for search_s() function to get user with matching `sAMAccountName` when base DN's lowest elements are just Group CNs?

Reed Villanueva villanuevareed at gmail.com
Wed Apr 7 02:19:36 EDT 2021


Is there a way to write an LDAP search filter string or base DN syntax to
get user with matching sAMAccountName property when the target base DN's
lowest elements are Group CNs (not actually users/Person objects)? Never
worked with LDAP querying before, so don't have a great understanding on
how to do this.

Have an AD path of Group CNs (where the users therein are defined in
multiple other locations) like...

DC=myorg,DC=local
    OU=datagroups
        OU=zones
            CN=group1
            CN=group2
            ...

...and have two parameters that I have available for matching against the a
login string:

   - A single base DN (eg. OU=zones,OU=datagroups,DC=myorg,DC=local) that
   will be accepted as a base arg by a python-ldap.search_s() function
   <https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap.LDAPObject.search_s>
   .
   - A search filter string to act on that base DN and return a single
   user/Person with matching sAMAccountName that will be used as the
   filterstr arg in the python-ldap.search_s() function
   <https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap.LDAPObject.search_s>.
   The default format is 'sAMAccountName={login}'

Have also tried...

base_dn = OU=zones,OU=datagroups,DC=myorg,DC=local
search_filter =
(&({login}=sAMAccountName)(|(memberOf=CN=zone1,OU=zones,OU=datagroups,DC=myorg,DC=local)(memberOf=CN=zone2,OU=zones,OU=datagroups,DC=myorg,DC=local)))

...to no avail.

Anyone with more experience know how I can do this? Anything I appear to be
misunderstanding about the situation (since again, I don't work w/ LDAP
querying very often)?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/python-ldap/attachments/20210406/5f7c46da/attachment.html>


More information about the python-ldap mailing list