Is there a way to write an LDAP search filter string or base DN syntax to get user with matching sAMAccountName property when the target base DN's lowest elements are Group CNs (not actually users/Person objects)? Never worked with LDAP querying before, so don't have a great understanding on how to do this.
Have an AD path of Group CNs like...
DC=myorg,DC=local
OU=datagroups
OU=zones
CN=group1
CN=group2
...
...and have two parameters that I have available for matching against the a login string:
OU=zones,OU=datagroups,DC=myorg,DC=local) that will be accepted as a base arg by a python-ldap.search_s() function.sAMAccountName that will be used as the filterstr arg in the python-ldap.search_s() function. The default format is 'sAMAccountName={login}'Have also tried
base_dn = OU=zones,OU=datagroups,DC=myorg,DC=local
search_filter = (&(sAMAccountName={login})(|(memberOf=CN=zone1,OU=zones,OU=datagroups,DC=myorg,DC=local)(memberOf=CN=zone2,OU=zones,OU=datagroups,DC=myorg,DC=local)))
to no avail.
Anyone with more experience know how I can do this? Anything I appear to be misunderstanding about the situation (since again, I don't work w/ LDAP querying very often)?
After learning more about how LDAP queries work from others...
Base DN needs to be where the object you want is found not the groups. memberOf and sAMAccountName are properties of the user object so the query you are writing is saying something like...
"search OU=zones,OU=datagroups,DC=myorg,DC=local for any object that has the property sAMAccountName of {login} and the memberOf property of CN=zone1,OU=zones,OU=datagroups,DC=myorg,DC=local or CN=zone2,OU=zones,OU=datagroups,DC=myorg,DC=local".
Groups contain a member property that will give you all the user DNs but they do not usually contain the sAMAccoutName in them so you would need to get all the members of each group then look up the object properties for each member.
I thus changed my baseDN to be DC=myorg,DC=local to get it to search the whole domain for the objects.