[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Getting the list of members in an AD group
On 10.04.2014 07:06, Sankar P wrote:
> 2014-04-07 21:48 GMT+05:30 Mark PrÃhl <mark@mproehl.net>:
>> Am 07.04.2014 15:55, schrieb Dan White:
>>
>>> On 04/07/14 11:06 +0530, Sankar P wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have the SID of an AD group. I want to get the list of members who
>>>> belong to that group. All the documentation page that I search for
>>>> points me to the reverse only (i.e., getting all the groups membership
>>>> information of a user).
>>>>
>>>> Can someone show me to the relevant way to get the users who belong to
>>>> a group whose SID I have ?
>>>
>>>
>>> ldapsearch -Y DIGEST-MD5 -U joe -H ldap://192.0.2.1 \
>>> -b "dc=example,dc=com" -s "sub" "objectSid=XXX" dn
>>>
>>
>> as an alternative you can do the following:
>>
>> ldapsearch -b '<sid=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX>'
>> member
>>
>
> I tried to do this using the C openldap binding and when having
> "objectSid" as the filter, I get the full DN of the group but not its
> members. If I just use "sid" I get nothing. The count of the results
> returned is zero.
>
> My source code is: http://paste.opensuse.org/74038351
>
> Can you help with it ? What do I miss ? Thanks.
>
<sid=...> is not a search filter, it is the search base. the
<>-characters are part of that syntax. You should also restrict the
scope of that search to base (LDAP_SCOPE_BASE). So a more complete
example (on the command line) would be:
ldapsearch -H ldap://your_dc.example.com \
-b '<sid=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX>' \
-s base \
'(objectClass=*)' member