How do I query large security groups with LDAP?

Gare Bear picture Gare Bear · Jul 12, 2013 · Viewed 9k times · Source

LDAP Library: python-ldap

I am trying to query a security group with around 1,000 users to get the list of members. These are my search preferences I am using to query a security group.

Filter: (&(objectCategory=Group)(distinguishedName=cn=SomeGroup,dc=foo,dc=bar))
base dn: cn=SomeGroup,dc=foo,dc=bar
attributes: ['member']

I know that this query works with smaller groups because I have tested it and received the list of members it contains.

I have also tried implementing paged group searching, but it doesn't return anything in its payload and instead returns an empty error message. My paging size is 1 so getting too many users with paging shouldn't be a problem. I have tested my paged searching on organizationalUnits(OU) so I know it's implemented correctly.

Any help or suggestions would be greatly appreciated.

Answer

Robert Rossmann picture Robert Rossmann · Jul 13, 2013

To get a list of members of a specific group, you should use a memberof search filter:

Filter: (&(memberof=cn=SomeGroup,dc=foo,dc=bar))
Attributes: whatever you want to know about the members
Base DN: I recommend to set this to your directory root (dc=foo,dc=bar) to ensure you get the complete list of members

If you want to do it the opposite way ( reading the members' distinguished names from the group ) you should perform a read operation with a dummy filter (objectclass=*) and the base DN set to the distinguished name of the group, and requesting the member attribute.