The "memberOf" attribute must be a fully-qualified distinguished name for the group. For example, your group name is "CN=Group1,OU=Marketing,DC=domain,DC=com". Your CFLDAP filter should be: FILTER="(& (sAMAccountName=#userName#) (memberOf=CN=Group1,OU=Marketing,DC=domain,DC=com) )" When you specify the objectClass=group AND the sAMAccountName of a user, they will cancel each other out. The user is not a group object. Another way to go about this is to select all groups that have a member that matches your user account. First you will need to get the distinguishedName value of the user, then, you use that in the filter of the second CFLDAP query. Sometimes, I choose this secondary option when it's possible that an LDAP query could return more than 1000 items in an Active Directory attribute. For example, if a user is a member of more than 1000 groups, you can't just return the "memberOf" attribute since Active Directory does not make it easy to return more than 1000 values in a multi-value attribute. However, if you "flip" the logic, you can query Active Directory for all groups that have a particular "member" value. To see it from another perspective, first, select the user's distinguishedName. You will need that value for the second LDAP query. <cfldap name="userDn" attributes="distinguishedName" filter="sAMAccountName=#username#" ... > The second LDAP query will then return all groups where one of the members matches the variable passed in the filter. <cfldap name="groups" attributes="distinguishedName,name" filter="member=#userDn.distinguishedName#" ... > This is not the best example, since it will be rare that a user would be a member of more than 1000 groups, so here is a better example. You have a single group that contains 1500 members. Your CFLDAP query would filter on the group's DN and return the "member" attribute. If you run that simple query, Active Directory will tell you there are 0 members. This is because the "member" attribute is a multi-value attribute that contains more than 1000 values. However, if you "flip" the logic, you *can* get Active Directory to give you the desired results. You simply need to query Active Directory for a list of all "users" that are a member of that particular group, using the group DN in the filter. This query will correctly return 1500 records. This may be a bit more information than needed, but it is a consideration to ensure that you never hit that 1000-value limit that is imposed by Active Directory. M!ke
_____ From: Dan Lopez [mailto:[EMAIL PROTECTED] Sent: Fri 11/23/2007 6:25 AM To: CF-Talk Subject: Re: Issues with CFLDAP Ironically, I tried using the samaccountname and things work great! The only issue I have now is sorting by groups. I did use the separator attribute and tried to match up find do a separate query for users within a certain group. Using the memberof just does the samething, I get blank output. Is there something wrong with my code? <cfldap action="query" name="getGroups" attributes="cn, dn, title, mail, telephonenumber, samaccountname, memberof" start="dc=domain,dc=name,dc=net" filter="(&(objectclass=group)(sAMAccountName=#usrName#)(memberof=GROUPNAME))" server="domain.name.net" sort="cn ASC" username="domain\#usrName#" password="#adminPass#" separator=";"> <cfdump var="#getGroups#" label="Groups"> I even tried to use a cfif statement combined with a REFind and a regular Find, and setting a variable if that specific string was found in the memberof field. I'm still confused on how to use the cfldap, but it's getting better. Thanks for your patience and help. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293757 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
