Michael- AWESOME! Thank you so much for the help. Is it as simple to add users to the group using the same method? Did you come up with this on your own or find this info somewhere? Any other tips of things I can look out for as I'm working with CFLDAP?
John -----Original Message----- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Friday, February 22, 2008 12:08 PM To: CF-Talk Subject: RE: LDAP Query for group members There are a couple of solutions to this issue, however, one is the best. I'll save that for last, of course. "Member" is a multi-value attribute in Active Directory. By default, it is a comma-delimited value. As you have found, distinguished names are also comma-delimted by nature. You can solve this issue by using CFLDAP's SEPARATOR attribute. If you specify a tab char, chr(9), you will get back a tab-separated list of member distinguished names. You can then use CFLOOP to loop over each member. However, if you want to know the member's first name, you would have to perform another LDAP query for each member. That could, and will, be very slow, if you have a large group. You will also have a limitation of 1000 members. Active Directory returns only 1000 values in a multi-value attribute. There is a workaround for this, but it really sucks. I don't even want to talk about it. Basically, this will get you close to what you are doing now, with the only improvement of a tab-separated list of members. The best solution comes now... It is so simple, it will make you giggle. Rather than query a group's members, you are better off querying all users who are a member of a group. Basically, you will set your filter to be: "(&(objectCategory=Person)(memberOf=DN=GroupName, OU=Org, DC=domain, DC=com))" Also, you need to specify the DELIMITER attribute in the CFLDAP tag. Set it to a tab character chr(9). You won't be passing any tabs in your filter, however, this prevents any errors because of the commas in the group's distinguished name. Then, in your CFLDAP tag, you can specify all of the user attributes that you need: givenName, sn, title, department, telephoneNumber, etc. You will get it all back in one CF query object. The best part is that you are not limited to the 1000-value limit that you would have hit by using the first method. However, you may hit another limit in the number of records that Active Directory returns via LDAP queries. By default, I think it may be 1000, but you can modify your domain controllers to increase that limit. I increased our limit to 10,000 records. If you have this problem, Google "ntdsutil and maxpagesize" or just click here: http://support.microsoft.com/kb/315071 m!ke -----Original Message----- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Friday, February 22, 2008 9:30 AM To: CF-Talk Subject: LDAP Query for group members I'm trying to find out if there's a simpler way to do this than what I'm doing. Currently, I'm querying a group from LDAP and retrieving the attribute called Member which gives me this ugly result set of one record with all of these domain users' distinguished names instead of just the AD username. I can parse this, but it's a mess because the names look like this: CN=User.Name, OU=Users, OU=Location, OU=Organization, DC=domain, DC=com, CN=User2.Name, OU=Users,..... The ldap code looks like this currently: <cfldap action="QUERY" name="GetGroupMembers" attributes="Member" start="dc=[domain],dc=com" scope="subtree" filter="(&(objectclass=group)(samaccountname=[groupI'mTryingtoGet]))" server="[myDomainController]" username="[username]" password="[password]"> I'd like to find a way to query the names and have them return as a result set with one row for each user. Obviously, the parsing of the file would be difficult because of all the commas in a single record but it's possible because of each record starting with CN. Anyone have a better way of doing this? Is there some sort of LDAP function you can pass to get it to return just the username instead of the full DN? Eventually, I'm assuming I'll hit the same roadblock on querying a user's groups to see if they're in a specific group. Any information to make my life easier would be greatly appreciated. Thanks! John Burns ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299740 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
