so this is a working version of the script (tested on my test ipa

You save it as executable and run it as:

$./script ipausername

and you will get the groupnames separated by an empty space a user is
member of.

modify the obvious bits, like kdc.domain.tld, user and password, and base.
You also need the perl-LDAP rpm package.

The user that binds to the ldap server needs privileges (do not know
exactly which ones, but as a normal user I cannot see the group
memberships). I have run it as admin and it works. Probably overkill, if
the user you use is member of the role 'user administrators' it should work
as well. Not tested.


use strict;
use warnings;
use Net::LDAP;

# Script requires user UID as the only parameter
if ( $ARGV[0] eq '' ) {
    print "ldap-query.pl requires one argument, user's uid\n";
    exit 1;

my $user = $ARGV[0];

# Create communication structure for LDAP connection
my $ldap = Net::LDAP->new( 'kdc.domain.tld' ) or die "$@";

# Bind to LDAP with proper user
my $msg = $ldap->bind(
          password => "pwd",

# search objects filtering in uid, get memberOf attribute only
$msg = $ldap->search(
            base => "cn=users,cn=accounts,dc=domain,dc=tld",
            scope => "sub",
            filter => "(uid=$user)",
            attr => ['memberOf'],

# get the group membership of $user and print it in a line
for my $entry ( $msg->entries ) {
    my @memberof = $entry->get_value( 'memberOf') ;

    # the memberof attr is a full dn but we only want the cn, so we
    # use the map function to strip everything else
    @memberof = map { s/^cn=(.*),cn=groups.*/$1/g; $_ } @memberof;

    # admin users or users with delegated privileges are members of groups
    # names containing spaces, we skip those. If this is not what you want,
    # you need to adapt the for loop
    for ( @memberof ) {
        next if /(replication |add |host|uniqueid|unlock |manage |trust )/ ;
        print "$_" . " " ;
    print "\n";

have fun!

Freeipa-users mailing list

Reply via email to