I'm currently using Python and LDAP to query Active Directory for users.
I have a list of names that are First Last. Not specific enough to find the exact user.
I would like a filter that would find all users matching 'Last, First*' and belonging to any group with a keyword in it.
_filter = '''(& (objectclass=user) (objectcategory=person) (name={}*) )'''.format(search_string)
and I've tried adding...
(memberOf=CN=*Keyword*,OU=Delegated,OU=Groups,DC=amr,DC=corp,DC=xxxxxx,DC=com)
To my filter, but with no success.
If this was SQL, I would write something like:
Select *
From
Users
Where
Users.name like 'First, Last%'
and Users.memberOf like 'Keyword%'
Update:
After reviewing Gabriel's answer I'm running this.
def get_idsids(self, search_string): _filter = '''(& (objectclass=user) (objectcategory=person) (anr={}) )'''.format(search_string) # Search for user. # Will return list of users matching criteria. # The results are wrapped up as a list(tuple(dict))) where the dict vals are binary strings or lists of binary strings. users = self.con.search_s(ActiveDirUser.BASEDN, ldap.SCOPE_SUBTREE, _filter, ['displayName', 'sAMAccountName', 'memberOf']) # This line is ugly... It just converts the results to a list of ids # So long as the user has at least one group with 'Keyword' in the name. # upper() is used to make the Keyword requriement case insensitive. return [user[1]['sAMAccountName'][0].decode() for user in users if 'KEYWORD' in ''.join(map(str, user[1]['memberOf'])).upper()]
I do wonder though, could I search for groups with 'Keyword' in the name and build filters from that? Further, would that be faster? I assume it would as AD probably hashes group membership.
I will go do some reading, but I assume group names are wildcard searchable?
