I'm working on a plain java command line software which performs a recursive LDAP search with Spring LDAP, starting from a specified group and searching all the users from the specified groups and subgroups.
The search fails to find anything if the group distinguished name contains organisational units (=ou), but works in other cases.
Here is the short version of implementation, recursion omitted:
private void searchLdapGroup(List<UserDTO> users, LdapTemplate ldapTemplate, String groupName) {
// recursion guard omitted
String base = groupName.substring(groupName.indexOf(',') + 1);
AndFilter filter = new AndFilter().and(new EqualsFilter("objectclass", "group")).and(new EqualsFilter("memberof", groupName));
List<String> subgroups = ldapTemplate.search(base, filter.encode(), new GroupNameMapper());
// recursive calls for subgroups omitted
getAllUsers(users, ldapTemplate, groupName, base);
private void getAllUsers(List<UserDTO> users, LdapTemplate ldapTemplate, String groupName, String base) {
AndFilter filter = new AndFilter().and(new EqualsFilter("objectclass", "person")).and(new EqualsFilter("memberof", groupName));
// Paged search omitted.
List<UserDTO> result = ldapTemplate.search(base,filter.encode(),new UserAttributesMapper());
The GroupNameMapper
returns distinguishedName as Strings and UserAttributesMapper
returns user objects from different attributes such as sAMAccountName
and givenName
The code (with recursion) finds all the 36 users in the first test group, where the specified group is like:
in the same exact test environment it returns zero persons and subgroups when the group distinguished name contains one or more organisational units, such as
This can't be due to wrong group distinguished name, "memberof" not working or group containing no users, since i tested lookup:
String[] test = (String[])ldapTemplate.lookup("CN=import_users,OU=testou,DC=example,DC=test,DC=org", new ContextMapper() {
public Object mapFromContext(Object ctx) {
DirContextAdapter adapter = (DirContextAdapter) ctx;
return adapter.getStringAttributes("Member");
which finds
CN=John Doe,CN=Users,DC=example,DC=test,DC=org
and lookup for the user John Doe
String[] test = (String[])ldapTemplate.lookup("CN=John Doe,CN=Users,DC=example,DC=test,DC=org", new ContextMapper() {
public Object mapFromContext(Object ctx) {
DirContextAdapter adapter = (DirContextAdapter) ctx;
return adapter.getStringAttributes("memberof");
gives results:
CN=import_users,OU=testou,DC=example,DC=test,DC=org CN=import_users,CN=Users,DC=example,DC=test,DC=org
How come the search does not find anything when organisational units are involved?
Library user: spring-ldap-core - 2.0.4.RELEASE
The devil is in the details:
The member of the group CN=import_users,OU=testou,DC=example,DC=test,DC=org
CN=John Doe,CN=Users,DC=example,DC=test,DC=org
But you appear to be searching for users under
That is, it appears all users are under CN=Users,DC=example,DC=test,DC=org
, but when you are actually searching for users you assume they are placed relative to the group.