On 10.04.2014 07:06, Sankar P wrote: > 2014-04-07 21:48 GMT+05:30 Mark Pröhl <[email protected]>: >> Am 07.04.2014 15:55, schrieb Dan White: >> >>> On 04/07/14 11:06 +0530, Sankar P wrote: >>>> >>>> Hi, >>>> >>>> I have the SID of an AD group. I want to get the list of members who >>>> belong to that group. All the documentation page that I search for >>>> points me to the reverse only (i.e., getting all the groups membership >>>> information of a user). >>>> >>>> Can someone show me to the relevant way to get the users who belong to >>>> a group whose SID I have ? >>> >>> >>> ldapsearch -Y DIGEST-MD5 -U joe -H ldap://192.0.2.1 \ >>> -b "dc=example,dc=com" -s "sub" "objectSid=XXX" dn >>> >> >> as an alternative you can do the following: >> >> ldapsearch -b '<sid=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX>' >> member >> > > I tried to do this using the C openldap binding and when having > "objectSid" as the filter, I get the full DN of the group but not its > members. If I just use "sid" I get nothing. The count of the results > returned is zero. > > My source code is: http://paste.opensuse.org/74038351 > > Can you help with it ? What do I miss ? Thanks. >
<sid=...> is not a search filter, it is the search base. the <>-characters are part of that syntax. You should also restrict the scope of that search to base (LDAP_SCOPE_BASE). So a more complete example (on the command line) would be: ldapsearch -H ldap://your_dc.example.com \ -b '<sid=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX>' \ -s base \ '(objectClass=*)' member
