My user is "SPR" and it is located under dc=aaaldap,dc=com
Now the filter i am trying to send is (IDEA: TO extract all groups to which user SPR belongs to)
Filter:
(&(objectclass=*)(memberof:1.2.840.113556.1.4.1941:=cn=SPR,dc=aaaldap,dc=com))
As part of this search result, i am getting response from AD server as ldapsearchresref (which to my understanding is an indication from ldap server that it is not able to find the entry in its server and thus giving a reference to a URL of another server which might help in resolving the entry).
My doubt is why it is not able to find any entry where in i am sure entry do exists?
Also, secondly i read somewhere that LDAP search filter doesn't work with commas. Can someone help me with this?
To fond all Groups a User is a member of including Nested groupsYou need to search the groups for the member attribute:
(member:1.2.840.113556.1.4.1941:=(cn=SPR,dc=aaaldap,dc=com))
-jim
If you need to find all the groups of that user belongs to you can user PrincipalContext.
Let me show you how
PrincipalContext pr = new PrincipalContext(ContextType.Domain, "aaaldap.com", "dc=aaaldap,dc=com", username, password);
List<string> lst = new List<string>();
UserPrincipal user = UserPrincipal.FindByIdentity(pr, DomainId);
if (user != null)
{
PrincipalSearchResult<Principal> results = user.GetGroups();
foreach (Principal p in results)
{
lst.Add(p.ToString());
}
lst.OrderBy(item => item.ToString());
}
pr.Dispose();
return lst;
I guess that is what you were looking for.
Cheers
When using LDAP and querying you can sometimes get a referring URL which means the account is known, but in a different domain. This happens when I query our global catalog, so I don't anymore. :)
This works on our domain here. Note I have commas in my filter.
private static void showMemberships()
{
// instantiate the DirectoryEntry instance with the FQDN of the domain to connect to
DirectoryEntry directoryObject = new DirectoryEntry("LDAP://CHILD.DOMAIN.ORG");
// create a DirectorySearcher object and pass the DirectoryEntry instance
DirectorySearcher ds = new DirectorySearcher(directoryObject);
// set search filter using LDAP query format
// this example fetches members for a group limiting to users only (not groups)
// and where the users are not in the stale objects ou
ds.Filter = "(&(objectCategory=User)(!ou=Stale Objects)(memberOf=CN=GROUPNAME,CN=Users,DC=CHILD,DC=DOMAIN,DC=ORG))";
// perform the search using the filter and store in a SearchResultsCollection
SearchResultCollection results = ds.FindAll();
// iterate through the results and do something with the info
foreach (SearchResult current in results)
{
string userId = current.Properties["cn"][0].ToString().Trim().ToUpper();
string userDn = current.Properties["distinguishedName"][0].ToString().Trim().ToUpper();
Console.Write(userId + " (" + userDn + ")\n");
}
// set the resource instances as released
directoryObject.Close();
directoryObject.Dispose();
}
