ldapsearch for Active Directory search - search

I have lot of ad groups which start with ad-grp-<something>-something.
I want to run the ldapsearch command to pull the members of the group all I need is the member id, not the full name.
ldapsearch -xLLL -b "DC=myteam,DC=com" -D user#myteam -h my-host.myteam.com
-w Abcd123 "(&(objectClass=group) "(&(memberOf=CN=ad-grp-*,OU=PermissionGroups,OU=Groups,DC=myteam,DC=com))"
With this I get the full name of the member but I am looking to get the member id of that user.
Can you help me?
Or share if there is any other easy way?

You cannot use wildcards on any attributes that have a distinguishedName in the value, like memberOf. So you will have to first search for the groups: (&(objectClass=group)(cn=ad-grp-*))
If you're sure the membership list of each group is less than 1500, then you can use the member attribute from the search. But if some of those groups have more than 1500 members, it gets more complicated to find them all (it only gives you 1500 at a time).
If some of them might be large groups, then you can take the full distinguishedName for each of the groups (from the search results) and construct a new query to find the members of each one. Something like this:
(&(objectCategory=person)(objectClass=user)(|(memberOf=CN=ad-grp-1,OU=PermissionGroups,OU=Groups,DC=myteam,DC=com)(memberOf=CN=ad-grp-2,OU=PermissionGroups,OU=Groups,DC=myteam,DC=com)))
That shows only two groups (ad-grp-1 and ad-grp-2). Add all of them to the query.

Related

AzureAD Graph API - Getting the delta of users in a group

We are using the MS Graph API and would like to check the changes of users in a certain group. Currently we get the users via this query:
https://graph.microsoft.com/v1.0/groups/group-id/members
This is how we retrieved the delta of the group:
https://graph.microsoft.com/v1.0/groups/delta?$filter=id eq 'GroupId'&$select=members
Now my question would be if there is a way to relate this delta only to users in this group.
I can see a result when I add or delete a user from the group, but I need a result, even if the name, street or something else getting changed.
I would be very grateful for any feedback.
Kind regards
There are limited supported-resources to query delta , which includes groups, Users etc but not particularly for member and its properties of one such group.
I tried to query for members this way and got unsupported error
https://graph.microsoft.com/v1.0/groups/xxxxxxxx/members/delta?$select=displayName,jobTitle,mobilePhone
But you may retrieve members of all groups whose membership changes, such as when users are added or removed /( updated ) as you knew .
I’ve tried this way with prefer: return=minimal 'header' to return only the object properties that have changed since the last round. and got removed and updated users but their properties that changed are not listed .We may need to copy the user Id that changed and query for that using user-delta
https://graph.microsoft.com/beta/groups/delta?$filter=id+eq+'xxxx-xxxxa-xxxxx52eb'&$select=members+&$select=displayName
(or)
https://graph.microsoft.com/beta/groups/delta?$filter=id+eq+'xxxx2-xxxxxxxxeb'&$expand=members
To filter separately for other properties like jobTitle ,its not valid .
https://graph.microsoft.com/beta/groups/delta?$filter=id+eq+'xxxxxxxxxxxx2-xxx'&$expand=members+&$select=displayName,jobTitle,mobilePhone
You can raise a Support request for the same.
References :
delta-query-groups | Microsoft Docssupported-resources
microsoft-graph-issues

id like command to See group information

Before adding any group by using groupadd command. I want to see the group is exists or not. Thats why i want to know is there any command like id command to see group information in Linux?
I am able to see the group information in /etc/group or giving command
$ getent group groupname
But I am finding such easy command like id to see group exists or not.

Where & How is user group information stored in Ubuntu?

Mirror Question: https://unix.stackexchange.com/questions/217300/where-how-is-user-group-information-stored-in-ubuntu. (I'll remove one of them after I got the answer)
Two places possible: /etc/group and /etc/passwd.
If I use command: adduser [username] [groupname], then the user would be added to the group, and the file /etc/group would then be updated.
However, the file /etc/passwd is not updated. if I check which group I belongs to, via groups command, I can only see groups stated in passwd file.. therefore, the user is not added to the group base on this result.
I'm confused.
What's the meaning of storying group info into /etc/passwd, and /etc/group respectively?
Why adduser only update the group file?
How to add group to the passwd file via command?
Why does groups return group info from passwd file, but not group file?
Thanks.
In these traditional text files (there are other ways, e.g. LDAP), your primary group goes to /etc/passwd (it's e.g. used for permissions of files you create), all additional groups go to /etc/group.
see 1.
That's impossible, but you can change a primary group with usermod -g
That's a misinterpretation, groups shows all groups. But a new group is only picked up when you start a new session (new login). You can use the newgrp command, that starts a session with the given group name as your primary group (you must be member of this group) -- as a side effect, it will consult the user database and update your groups list.

Wondering how I might be able to debug this ACL issue

I'm adding security around some buttons in an app I built long ago. The way I implemented this security feature is that I created a a role in the database's ACL. I do a check in the button's hide-when formula and expose the button if the role is there. That role is assigned to a security group in the Domino Directory. That security group contains a collection of other groups. These 2ndary groups contain people's names. Those names are retrieved from a Postgres database -- I have a LotusScript agent that pulls the names from that database. The problem I'm seeing is that even tho a name is in the 2ndary group, Notes doesn't recognize it. Here's an example. This user are in these groups:
however, he should also be in all of these:
How can I debug where the problem is?
thanks
clem
I think the problem is that for one group in particular, there are 2 copies of the group document. I didn't see that b/c in the main group view it doesn't show up. But when I was in the process of assigning a child group to a parent group, I can see the duplicate listed. I suspect this is the source of the problem. Will confirm.
thanks
clem
Make sure the members of the 2ndary groups contain names in fully qualified format that matches the first entry of their FullName in the person document. EG "John Smith" should be "CN=John Smith/O=LabWare" or something like that.
You can see what groups and roles the system recognizes a user in by double clicking on the security icon on the status bar in the Notes Client (bottom 3rd from the right) after you have opened the database.

Linux command 'getent group' not returning users for some groups?

I am using getent group command to get the groups along with there usernames in linux. But it is not showing any usernames for some groups which i know exist.
i need this info is there any other way around?
Picking up 1st two results :--
root:x:0:
bin:x:1:bin,daemon
as you can see there are no users for group root and 2 users in bin group. I know that the root group contains a user root but its now showing it here.
What you are missing is that each user has a primary group, which is stored in /etc/passwd (usually in field 4), and may have one or more supplementary groups. Only the supplementary group associations are in /etc/group, and as a result, are the only ones that getent group will show. In order to get the entire list of groups for a particular user, you can use id -a <user>, but you'll have to iterate that over the list of users to get your full information dump...
Can you please run:
getent group|diff /etc/group -
and show us the difference in its output,
Since I have run this and I see no difference their both exactly the same
getent will only return the master group name and not the sub groups a user belongs to:
getent group adm
adm:x:4:me,logcheck
To get any instances of adm within getent try:
getent group|grep adm

Resources