To check (using openDS SDK) a member belongs to which group in openDS LDAP

894 views Asked by At

I have just got this requirement two days back and I'm using a LDAP(openDS) for the first time. As things are I have got a very limited time for R&D. I have gone through the developers guide and SDK Api for openDS as much as possible.

Basically I have got a very simple requirement. I will be provided a 'user-id' and using that I have to authenticate whether this user belongs to any available groups (defined by me) in the LDAP.

I have managed to do this code snippet:

public void getGroup(String userId) {
    Connection connection = new LDAPConnection().getConnection();
    try {
        // No explicit bind yet so we remain anonymous for now.
        SearchResultEntry entry;
        entry = connection.searchSingleEntry("ou=Groups,dc=example,dc=com", 
                                                                SearchScope.WHOLE_SUBTREE, 
                                                                "(uniqueMember=" + "uid="+userId+", ou=People, dc=example,dc=com" + ")", 
                                                                "cn");
        String cn = entry.getAttribute("cn").firstValueAsString();
        System.out.println("Hello, " + cn + "!");
    } catch (ErrorResultException e) {
        e.getMessage();
    } finally {
        closeConnection(connection);
    }
}

Now if I receive a search result then the user belongs to a group otherwise not. Now I'm not sure is this the way to achieve this. I also looked something like 'isMemberOf' but I'm not sure whether the API provide such kind of method or that is something else.

Any help is much appreciated. Thanks.

2

There are 2 answers

1
Terry Gardner On BEST ANSWER

The LDAP Client should transmit a search request to the server with the following filter:

'(isMemberOf=<the distinguished name of the entry>)'

and the appropriate base object, filter, and requested attributes. This assumes the server has the isMemberOf virtual attribute enabled.

If only the relative distinguished name component is available, the LDAP client must search for the distinguished name - in this case use (<attribute-type>=<userid>>) (for example, '(uid=user.1)') and 1.1 for the request attribute which will result in no attributes being returned. The distinguished name is always returned for each matched entry. Then construct the filter with isMemberOf and search again.

see also

0
Ludovic Poitou On

The search above does return the cn of the Group. If you are given a userid and need to check that the user is in a well known group, then the filter "(isMemberOf=

If you search for (&(uid=)(isMemberOf= that is part of the Group.

Kind regards,

Ludovic.