I am trying to create a (single) LDAP filter that will find users with various attributes (status, create date, etc) who are also members of a particular group. Normally the answer would be to filter on the "memberOf" attribute -- but unfortunately users in our directory do not have this attribute -- instead of members referring to their groups, only groups refer to their members (using uniqueMember).
I read in Mr. Tendys' comment in another question that there is an overlay that will add memberOf to users in such cases. For whatever reason, this was not done in our case, and recreating the directory, as Mr. Tendys says is necessary to create the attribute for existing users, is a non-starter.
Currently we can search for the group separately from the other attributes like this:
Group:
BaseDN: ou=groups,dc=mycompany,dc=com
Query: (&(objectClass=groupofuniquenames)(description=My Funky Group))
(And then pull the uniqueMember attributes)
Other attributes:
BaseDN: dc=mycompany,dc=com
Query: (&(objectClass=person)(myCreateDate>=2010-10-27T10:49:42-04:00)(myUserType=E))
Relationally, my instinct is to join the uniqueMember attribute of the group to the DNs we get from the other attribute filter, but my investigation has not shown that this is possible in LDAP.
Admittedly, I am not an LDAP expert. I am much more experienced in the relational database would, but I have been nipping around the edges of LDAP for some time now. All of which is to say that I know some things, but there may be fundamentals I am missing.
How do I "join" these two filters, so I don't have to coalate the responses outside of my directory (a Java web service, for what its worth).
