Search code examples
goldapldap-query

Getting the sAMAccountName for all users in a AD Group

I've encountered some problems that seems like there should be a better solution to my problem?

In Go:

I succeed in retrieving the CN from a group (also able to traverse nested groups) Looping each of the users: I though that I could use the CN in getting the "sAMAccountName" for that user

  • Try 1: From l.Search I get response "Example1" below - with a "\" before the "," - Using this gives an exception.
  • Try 2: Removing the "\" (Example 2) - Returns with 0 entries
  • Try 3: Removing the "," (in the name) - Returns with 0 entries
  • Try 4: Modifying the string to add """ around name - Returns with 0 entries
  • Try 5: Similar tries with using ldap.EscapeFilter() all fail with exception or 0 entries in reply.

(userAccountControl - to remove disabled users - also tested without it)

import (
    "gopkg.in/ldap.v2"
)
 
//First search for members in group
    sr, err := l.Search(&ldap.SearchRequest{
        BaseDN: "dc=ad,dc=some",
        Scope:      2, // subtree
        Filter:     "(&(objectCategory=group)(cn=TheGroup)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
        Attributes: []string{"member", "cn", "dn"},
    })
 
//Looping through the users from the reply
 
Example1: user="CN=Some\, Name,OU=ABCD,OU=UsersInternal,OU=Users,OU=DEFG,OU=HIJ,DC=ad,DC=some"
Example2: user="CN=Some, Name,OU=ABCD,OU=UsersInternal,OU=Users,OU=DEFG,OU=HIJ,DC=ad,DC=some"
Example3: user=\"CN="Some, Name\",OU=ABCD,OU=UsersInternal,OU=Users,OU=DEFG,OU=HIJ,DC=ad,DC=some"
Example4: user="CN='Some, Name',OU=ABCD,OU=UsersInternal,OU=Users,OU=DEFG,OU=HIJ,DC=ad,DC=some"
 
 
filter:=fmt.Sprintf("(%s)", user)
 
    result, err := l.Search(&ldap.SearchRequest{
        BaseDN:     "dc=ad,dc=some",
        Scope:      2, // subtree
        Filter:     filter,
        Attributes: []string{"sAMAccountName"},
    })

Workaround w problems:

user = "Some Name"
filter := fmt.Sprintf("(&(anr=%s)(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", user)

Current workaround is to use anr - but then I fail to combine the search with the group that I initially searched...

Solution

  • I believe it should work (and even faster) to get directly a given object, since you already have user's DN. I would use user's DN as base DN (without any escaping) and set scope as base. Unfortunately I don't have an AD with commas in CNs to run a test.

    BTW. userAccountControl attribute is defined on user objects, not groups. If you wish to filter that way, it might actually be easier to resolve group name to a DN and then issue a single search for getting all the users, i.e.:

    1. Use filter (&(objectCategory=group)(cn=TheGroup)) with scope subtree and attributes dn,
    2. Use filter (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=TheGroupDN)) with scope subtree and attribute sAMAccountName.

    This way you would issue just two queries instead of querying each user separately.