Warm tip: This article is reproduced from serverfault.com, please click
go ldap ldap-query

Getting the sAMAccountName for all users in a AD Group

发布于 2020-12-08 21:34:18

I've encountered some problems that seems like there should be a better solution to my problem?

In Go:

I succeed in retrieving the CN from a group (also able to traverse nested groups) Looping each of the users: I though that I could use the CN in getting the "sAMAccountName" for that user

  • Try 1: From l.Search I get response "Example1" below - with a "\" before the "," - Using this gives an exception.
  • Try 2: Removing the "\" (Example 2) - Returns with 0 entries
  • Try 3: Removing the "," (in the name) - Returns with 0 entries
  • Try 4: Modifying the string to add """ around name - Returns with 0 entries
  • Try 5: Similar tries with using ldap.EscapeFilter() all fail with exception or 0 entries in reply.

(userAccountControl - to remove disabled users - also tested without it)

import (
    "gopkg.in/ldap.v2"
)
 
//First search for members in group
    sr, err := l.Search(&ldap.SearchRequest{
        BaseDN: "dc=ad,dc=some",
        Scope:      2, // subtree
        Filter:     "(&(objectCategory=group)(cn=TheGroup)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
        Attributes: []string{"member", "cn", "dn"},
    })
 
//Looping through the users from the reply
 
Example1: user="CN=Some\, Name,OU=ABCD,OU=UsersInternal,OU=Users,OU=DEFG,OU=HIJ,DC=ad,DC=some"
Example2: user="CN=Some, Name,OU=ABCD,OU=UsersInternal,OU=Users,OU=DEFG,OU=HIJ,DC=ad,DC=some"
Example3: user=\"CN="Some, Name\",OU=ABCD,OU=UsersInternal,OU=Users,OU=DEFG,OU=HIJ,DC=ad,DC=some"
Example4: user="CN='Some, Name',OU=ABCD,OU=UsersInternal,OU=Users,OU=DEFG,OU=HIJ,DC=ad,DC=some"
 
 
filter:=fmt.Sprintf("(%s)", user)
 
    result, err := l.Search(&ldap.SearchRequest{
        BaseDN:     "dc=ad,dc=some",
        Scope:      2, // subtree
        Filter:     filter,
        Attributes: []string{"sAMAccountName"},
    })

Workaround w problems:

user = "Some Name"
filter := fmt.Sprintf("(&(anr=%s)(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", user)

Current workaround is to use anr - but then I fail to combine the search with the group that I initially searched...

Questioner
Per Olofsson
Viewed
0
分享
raspy 2020-12-09 22:33:28

I believe it should work (and even faster) to get directly a given object, since you already have user's DN. I would use user's DN as base DN (without any escaping) and set scope as base. Unfortunately I don't have an AD with commas in CNs to run a test.

BTW. userAccountControl attribute is defined on user objects, not groups. If you wish to filter that way, it might actually be easier to resolve group name to a DN and then issue a single search for getting all the users, i.e.:

  1. Use filter (&(objectCategory=group)(cn=TheGroup)) with scope subtree and attributes dn,
  2. Use filter (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=TheGroupDN)) with scope subtree and attribute sAMAccountName.

This way you would issue just two queries instead of querying each user separately.

Per Olofsson 2020-12-10 08:01:17

Thanks! When I tested this before I used the (memberOf=TheGroup) not the GroupDN - Now it works! Now I only need to handle a few group names beginning with a "#"... "//#" gives an exception...

Per Olofsson 2020-12-15 15:44:46

struggling on...stackoverflow.com/questions/65309123/…

热门帖子

1
C++新手,求助一个关于怎么使用第三方库的问题
2
关于英语学习的重要性的思考
3
这里分享一个免费的在线 PDF 总结工具: NoteGPT
4
没想到 Arc 浏览器对网络要求如此严格
5
深陷消费主义陷阱的背后,是我空洞的灵魂
6
[上海] 招中级前端开发工程师
7
澳大利亚🇦🇺归来~第一次去南半球,虽然看过很多次照片,亲临大洋路时仍觉震撼
8
Apple Watch Terminal 风格表盘
9
失业三个月,面试寥寥无几,朋友失业的也很多
10
开发了一个在线批量图片压缩网站

热门github

1
Implementation of paper - YOLOv9: Learning What You Want to Learn Using Programmable Gradient Information
2
A Windows and Office activator using HWID / Ohook / KMS38 / Online KMS activation methods, with a focus on open-source code and fewer antivirus detections.
3
Get up and running with Llama 2, Mistral, Gemma, and other large language models.
4
该项目可以让你通过订阅的方式使用Cloudflare WARP+,自动获取流量。This project enables you to use Cloudflare WARP+ through subscription, automatically acquiring traffic.
5
Multi functional app to find duplicates, empty folders, similar images etc.
6
Xray panel supporting multi-protocol multi-user expire day & traffic & ip limit (Vmess & Vless & Trojan & ShadowSocks & Wireguard)
7
The Free Software Media System
8
lightweight, standalone C++ inference engine for Google's Gemma models.
9
📚 Freely available programming books
10
A collective list of free APIs
11
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java
12
🎓 Path to a free self-taught education in Computer Science!
13
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA...
14
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems
15
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention.