ldapsdk icon indicating copy to clipboard operation
ldapsdk copied to clipboard
verified publisher icon pingidentity

How can I create a security group in LDAP server?

Open bappajubcse05 opened this issue 6 years ago • 1 comments

hello @dirmgr , I am trying create a security group in LDAP server using unbounded-ldap-sdk but whenever I am trying to query the group with below filter, it is not returning the group.

Filter: (&(groupType:1.2.840.113556.1.4.803:=2147483648)(cn=test_group*))

The group is:

dn: CN=bpa,DC=developer,DC=tester,DC=example,DC=com
objectClass: group
groupType: -2147483646
instanceType: 4
objectClass: top
objectCategory: Group
cn: test_group
distinguishedName: CN=bpa,DC=developer,DC=tester,DC=example,DC=com
description: test group for testing
name: test_group

Code to query the server:

javax.naming.directory.SearchControls searchControls = new javax.naming.directory.SearchControls();
searchControls.setReturningAttributes({"name", "cn"});
searchControls.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE);
DirContext.search("DC=developer,DC=tester,DC=example,DC=com", filter, searchControls);

Could you please help me to find out the problem?

I am suspecting the value that I am using for groupType is not the correct one.

bappajubcse05 avatar May 02 '19 15:05 bappajubcse05

I don't know anything about Active Directory, and this looks like an AD-specific question. However, I can see that the groupType value you are using in the filter (2147483648) is similar to but not the same as the groupType value in the group entry (-2147483646). The last digit is different, and the groupType value in the entry is negative while the one in the filter is positive.

Also note that the cn attribute inherits from name, so technically you should only need to request the name attribute and you'd get all of its subordinates as well, which includes things like cn, sn, givenName, initials, title, and others. But it doesn't hurt anything to request both, and it's possible that Active Directory doesn't properly handle attribute type inheritance.

At any rate, the code to issue a search like the one you have listed above in the UnboundID LDAP SDK for Java would be something like:

String baseDN = "DC=developer,DC=tester,DC=example,DC=com";
Filter filter = Filter.createANDFilter(
     Filter.createExtensibleMatchFilter("groupType",
          "1.2.840.113556.1.4.803", false, "2147483648"),
     Filter.createSubInitialFilter("cn", "test_group"));
String[] requestedAttributes = { "name", "cn" };
SearchRequest searchRequest = new SearchRequest(baseDN, SearchScope.SUB,
     filter, requestedAttributes);

SearchResult searchResult = ldapConnection.search(searchRequest);

dirmgr avatar May 02 '19 16:05 dirmgr