Announcement

Collapse
No announcement yet.

Get group membership from email (Was: Is this possible with LDAP?)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Get group membership from email (Was: Is this possible with LDAP?)

    I have a group name and an e-mail address. I'd like to do an ldap query to find out if the user who belongs to the e-mail address is a member of the group.

    So I have [email protected] and I want to know if Joe Smith is a member of the accounting security group.

    I'd like to do this in one step too.

    Thanks.

  • #2
    Re: Get group membership from email (Was: Is this possible with LDAP?)

    Title changed
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Get group membership from email (Was: Is this possible with LDAP?)

      One way of doing it would be through ADUC and New queries.
      In the query string paste the following:

      Code:
      (&(&(|(&(objectCategory=person)(objectSid=*)
      (!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)
      (!objectSid=*))(&(objectCategory=group)
      (groupType:1.2.840.113556.1.4.804:=14)))
      (objectCategory=user)(mail=[email protected])
      (memberOf=accounting sec gr)))
      Obviously change the mail and MemberOf values.

      Ta
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: Get group membership from email (Was: Is this possible with LDAP?)

        I ran your example in our spam filter and got the following error

        Failure: LDAP Query Syntax Error: Invalid character 's' at position 46 of query...
        If I run your example with dsquery, I get 0 objects returned.

        Comment


        • #5
          Re: Get group membership from email (Was: Is this possible with LDAP?)

          Originally posted by mhashemi View Post
          I
          If I run your example with dsquery, I get 0 objects returned.
          Just a little important detail, the syntax of the memberOf value should be in the Distinguished Name (DN) i.e
          Code:
          (&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:
          1.2.840.113556.1.4.804:=3))(&(objectCategory=person)
          (!objectSid=*))(&(objectCategory=group)
          (groupType:1.2.840.113556.1.4.804:=14)))
          (objectCategory=user)([email protected])
          (memberOf=CN=accounting sec gr,OU=TestOU,DC=Domain,DC=local)))
          Ta
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: Get group membership from email (Was: Is this possible with LDAP?)

            Doy! Thanks for the help. Can we break it down so I can understand what's going on?

            Code:
            (|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))
            Looks like you're limiting the query to objects that are people or security groups but why do you need to include the objectSid and samAccountType? And why do you "not" the objectSid for the group with a wildcard?

            Now I just have to test it in our spam appliance.

            Comment


            • #7
              Re: Get group membership from email (Was: Is this possible with LDAP?)

              Hi,

              The query string was created automatically via ADUC as follows.
              New Query - Define Query
              On the Find select Users, Contacts, and Groups then Click on Advanced
              In there Select User and then click on the attribute you need (In your case E-Mail address which is the mail attribute for the User Class.) On the Condition select Is (exactly) and give it the required value. Once done click on add and the condition will be added to the Query string.
              Repeat the same process for the other condition which will be querying for the MemberOf attribute of the user class object. (The value has to be on the DN format for this ) Add the condition, Ok and Voila! Copy and paste the automatically created Query string.
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment

              Working...
              X