ahaenggli
List users in a group
Hello,
assuming we have an AD group with a list of members (let's call the group Everyone), we can expose the member list by querying for base 'cn=everyone,cn=groups,dc=company,dc=com' with filter: (objectclass=*).
This provides a list of members, like this:
# extended LDIF
#
# LDAPv3
# base <cn=everyone,cn=groups,dc=company,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# everyone, groups, company.com
dn: cn=everyone,cn=groups,dc=company,dc=com
objectClass: top
objectClass: posixGroup
objectClass: extensibleObject
objectClass: apple-group
objectClass: sambaGroupMapping
objectClass: sambaIdmapEntry
cn: everyone
description: Group for all enabled users
displayName: Everyone
entryDN: cn=everyone,cn=groups,dc=company,dc=com
member: uid=john.doe,cn=users,dc=company,dc=com
member: uid=jane.doe,cn=users,dc=company,dc=com
memberUid: john.doe
memberUid: jane.doe
sambaGroupType: 2
structuralObjectClass: posixGroup
subschemaSubentry: cn=subschema
creatorsName: uid=root,cn=users,dc=company,dc=com
modifiersName: uid=root,cn=users,dc=company,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Is there however a possibility to list the actual users of that group, and ONLY of that group, in a similar structure returned when querying base 'cn=users,dc=company,dc=com'? For example for the Everyone group only those two user objects would be returned, even if Azure AD contains more users.
# john.doe, users, company.com
dn: uid=john.doe,cn=users,dc=company,dc=com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: apple-user
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: extensibleObject
cn: john.doe
displayName: John Doe
entryDN: uid=john.doe,cn=users,dc=company,dc=com
givenName: John
mail: [email protected]
memberOf: cn=everyone,cn=groups,dc=company,dc=com
sn: Doe
uid: john.doe
structuralObjectClass: inetOrgPerson
ou: company.com
# jane.doe, users, company.com
dn: uid=jane.doe,cn=users,dc=company,dc=com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: apple-user
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: extensibleObject
cn: jane.doe
displayName: Jane Doe
entryDN: uid=jane.doe,cn=users,dc=company,dc=com
givenName: Jane
mail: [email protected]
memberOf: cn=everyone,cn=groups,dc=company,dc=com
sn: Doe
uid: jane.doe
structuralObjectClass: inetOrgPerson
ou: company.com
I have scanned the documentation and source code and couldn't find a way to do so.
There's a use case (listing only selected users of a pre-defined group, using that group as a search base) for this: listing users when integrating printers with LDAP.
Thank you.
You could just query the users with a base like cn=users,dc=company,dc=com and set a matching filter like (&(uid=*)(objectClass=*)(memberOf=cn=everyone,cn=groups,dc=company,dc=com)).
@ahaenggli thank you - that of course works if one can specify the filter string.
Sadly that's not the case for printers (Canon in this case) where the filter string is hardcoded to (&(mail=*)(|(name=*someonesname*)))
@zajdee Is this completely or only partially fixed with #127? Perhaps a customizer could help if you duplicate the user objects for your specific AD group—not ideal, but I don't see any other option if the printer doesn't allow more options.
@ahaenggli this is independent to #127 (#126). That PR/issue only reflect the addition of the name attribute, however this issue is about producing a "view" of users based on a "group-base".
There is currently no solution. You have only the following options:
- Write a customizer to duplicate the user objects for your specific AD group per group
- Set up a second/third/... container that only contains the desired groups