Query Active Directory users who are managed by given manager's sAMAccountName

1
votes

I'm trying to search active directory users whose manager's username is given in the search request, but I always get 0 records regardless of the manager's username I pass.

To achieve this, I executed the following LDAP query: 

(manager=sAMAccountName=Administrator)

I also tried by manager's common name like this:

(manager=cn=John Smith)

Can anyone write me an LDAP query that returns all users whose manager's sAMAccountName=administrator ?

2
active-directoryldap
without providing what or how you tried to solve this problem, not many people will help you here - benka
Thanks for your advice, I did - Izzeddeen

2 Answers

2
votes

manager has distinguished name syntax, therefore, if manager is used in an assertion, the full DN must be used as the value. Neither of the examples you gave meet this criteria. You must correct the filter to use a distinguished name.

The syntax of manager:

attributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager'
  EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  X-ORIGIN 'RFC 4524' )

To determine the syntax, use the LDAP Parameters Assignment page. On that page, search for the OID following the SYNTAX keyword (1.3.6.1.4.1.1466.115.121.1.12). That shows that it's DN syntax. Also, the EQUALITY matching rule is distinguishedNameMatch.

An example of an assertion in a filter using the correct syntax:

manager=cn=Manager Number One,ou=managers,ou=people,dc=example,dc=com

All attributes values used in an assertion must have the syntax defined for that attribute type in the schema.

Update

Verify the entries exist with a known good tool such as ldapsearch to ensure that the correct parameters are known for the search request. For example:

$ ldapsearch -h hostname -p port -b 'dc=sahara,dc=local' \
  -D [your-bind-dn] -w [your-bind-dn-password]         \
  -s sub                                               \
  '(manager=cn=Izzeddeen Alkarajeh,ou=managers,ou=people,dc=sahara,dc=local)' \
   1.1

If this search returns no entries, check with the LDAP administrators to ensure that the BIND DN in use has permission o read those entries.

see also

0
votes

I know this is old but I figured out a way to do this in C# that I have yet to find on stackoverflow.

using (var pc = new PrincipalContext(ContextType.Domain, "yourdomain.com"))
using (var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, "samAccountName"))
{
    DirectoryEntry de = (DirectoryEntry)user.GetUnderlyingObject();

    if (de.Properties["directReports"].Count != 0)
        managedFound = de.Properties["directReports"];
}

This will give you a list of strings that you can then parse out the CN using this:

managedUserName = Regex.Match(managedFound.ToString(), @"CN[=].*?[,]").Value.Replace("CN=", "").Replace(",", "");

Then, the following to get the User properties:

UserPrincipal managedUser = UserPrincipal.FindByIdentity(pc, IdentityType.Name, managedUserName);