LDAP group has 'member's but the members dont have the 'memberof' attribute

Question

I am new to LDAP (AD) and I wonder how can I retrieve all users of a group if the users itself doesn't have the "memberof" attribute (which should link to the group I think)?

Following LDAP Structure

- Users
   - UserA (memberof=Group1)
   - UserB (memberof=Group1,memberof=Group2)
   - UserN ...
 - Groups
   - Group1 (member=UserA,member=UserB)
   - Group2 (member=UserB)
   - GroupX ...
 - AppGroups
   - App1 (member=UserA,member=UserB)
   - AppX ...

So how can I query only the users which are members of App1 group from AppGroups if the users don't have the attributes memberof for this group?

I am trying to achive this with Alfresco. Querying the groups is no problem but I can't find a way to also sync the users (and only the users of the group App1)?

Thank you in advance!

Are you sure the LDAP server implements the memberOf Attribute? Not all LDAP server implementations provide MemberOf as an attribute. — jwilleke
@jeemster yes because users have the memberOf attribute (seen in my structure) and they also can be queried/found using the memberOf attribute in the conditions. But they dont have the memberOf attribute for all groups (especially for the group I needed)! — Pali

Robert Rossmann Robert Rossmann · Accepted Answer · 2015-04-16T10:55:06

You can either form a query that asks the server to retrieve all users whose memberof attribute contains your group's distinguished name, or, you can turn the logic around and ask the server to give you the member attribute of the group. The member attribute on a group contains all members' distinguished names. You can then obtain additional information about the users by reading the objects one-by-one.

Performance-wise, this is much slower, but if there is no memberof attribute on the users themselves, this might be the only option for you.

LDAP group has 'member's but the members dont have the 'memberof' attribute

2 Answers