[python-ldap] base and filterstr combination for search_s() function to get user with matching `sAMAccountName` when base DN's lowest elements are just Group CNs?

William Brown william at blackhats.net.au
Wed Apr 7 20:00:16 EDT 2021 


> On 7 Apr 2021, at 16:19, Reed Villanueva <villanuevareed at gmail.com> wrote:
> 
> Is there a way to write an LDAP search filter string or base DN syntax to get user with matching sAMAccountName property when the target base DN's lowest elements are Group CNs (not actually users/Person objects)? Never worked with LDAP querying before, so don't have a great understanding on how to do this.
> 
> Have an AD path of Group CNs (where the users therein are defined in multiple other locations) like...
> 
> DC=myorg,DC=local
>     OU=datagroups
>         OU=zones
>             CN=group1
>             CN=group2
>             ...
> 
> ...and have two parameters that I have available for matching against the a login string:
> 
> 	• A single base DN (eg. OU=zones,OU=datagroups,DC=myorg,DC=local) that will be accepted as a base arg by a python-ldap.search_s() function.
> 	• A search filter string to act on that base DN and return a single user/Person with matching sAMAccountName that will be used as the filterstr arg in the python-ldap.search_s() function. The default format is 'sAMAccountName={login}'
> Have also tried...
> 
> base_dn = OU=zones,OU=datagroups,DC=myorg,DC=local
> search_filter = (&({login}=sAMAccountName)(|(memberOf=CN=zone1,OU=zones,OU=datagroups,DC=myorg,DC=local)(memberOf=CN=zone2,OU=zones,OU=datagroups,DC=myorg,DC=local)))
> 

I think the mistake is here: You should have sAMAccountName={login}, not the other way around.

To help a bit, this blog may help: https://fy.blackhats.net.au/blog/html/pages/ldap_guide_part_2_searching.html 

It explains how search filters work a bit more, and the scopes. In this case, provided you are using SCOPE_SUBTREE, what you have will work. 

Hope that helps, 

> ...to no avail.
> 
> Anyone with more experience know how I can do this? Anything I appear to be misunderstanding about the situation (since again, I don't work w/ LDAP querying very often)?
> _______________________________________________
> python-ldap mailing list
> python-ldap at python.org
> https://mail.python.org/mailman/listinfo/python-ldap

--
Sincerely,

William

More information about the python-ldap mailing list