The tokenGroups attribute is a special constructed attribute that can only be returned on a base level search due to computational complexity of populating the information on the server side.
joe -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm Blog: http://blog.joeware.net On Thu, Dec 20, 2012 at 9:54 PM, ctosgh <[email protected]> wrote: > Hi, World > I have one question about my recent work on LDAP. > Why I can't get tokenGroups back but can get other attributes back with > following search against an AD server? > [root@fc11-lab ~]# ldapsearch -x -D > "cn=admin,cn=Users,dc=jacky,dc=org,dc=cn" -b > "cn=Users,dc=jacky,dc=org,dc=cn" -w 11111111 -H "ldap://x.x.x.x:389"; > "sAMAccountName=user1" cn whenChanged userPrincipalName tokenGroups > # extended LDIF > # > # LDAPv3 > # base <cn=Users,dc=jacky,dc=org,dc=cn> with scope subtree > # filter: sAMAccountName=user1 > # requesting: cn whenChanged userPrincipalName tokenGroups > # > # search result > search: 2 > result: 1 Operations error > text: 00002120: SvcErr: DSID-03140293, problem 5012 (DIR_ERROR), data 0 > # numResponses: 1 > > > However, if I do NOT request tokenGroups ! attribute I get a successful > response. > [root@fc11-lab ~]# ldapsearch -x -D > "cn=admin,cn=Users,dc=jacky,dc=org,dc=cn" -b > "cn=Users,dc=jacky,dc=org,dc=cn" -w 11111111 -H "ldap://x.x.x.x:389"; > "sAMAccountName=user1" cn whenChanged userPrincipalName > # extended LDIF > # > # LDAPv3 > # base <cn=Users,dc=jacky,dc=org,dc=cn> with scope subtree > # filter: sAMAccountName=user1 > # requesting: cn whenChanged userPrincipalName > # > # user1, Users, jacky.org.cn > dn: CN=user1,CN=Users,DC=jacky,DC=org,DC=cn > cn: user1 > whenChanged: 20121221012448.0Z > userPrincipalName: [email protected] > # search result > search: 2 > result: 0 Success > # numResponses: 2 > # numEntries: 1 > > > I do see entry "CN=user1,CN=Users,DC=jacky,DC=org,DC=cn" has the attribute > tokenGroups on AD. > > Any thoughs? TIA > > Th! anks, > Jacky > > >
