Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco Employee

How to verify user LDAP group membership

Hi,

we are attempting to determine if a user is a member of a specific LDAP group in our directory and if the user is a member it should return TRUE else FALSE (this is done by defining the LDAP attribute 'CN' (property) which returns a result 'CN=<UserName> or returns 'getting 0 entries'. The query we have is

(&(cn=<username>)(memberOf=CN=<groupname>,DC=domain,DC=com)).

Any pointers on how to do this ?

Thank you.

Everyone's tags (1)
5 REPLIES
Cisco Employee

Are you using MS AD or

Are you using MS AD or general LDAP?

Can you make CLI/powershell calls or Rest calls into it?

I would wager it could be done a handful of different ways, but we'd need to see more detail to advise.

 

--shaun

--Shaun Roberts shaurobe@cisco.com CIAC Adoption Pilot Engineering Lead
Cisco Employee

Hi Shaun,  I am using MS AD

Hi Shaun,

  I am using MS AD activity currently. I am passing the above query in the LDAP path parameter field and "cn" in the property parameter field.

 

I can use powershell/rest calls if you can suggest me.

 

Thank,

Swati

Cisco Employee

You could do a couple of

You could do a couple of things...

 

1) Install dsquery (add remote AD tools to your box) and run something like

dsquery group -u <user name>

Username would be their login name, yours is "swaupadh" for example. This would return a listing of all the groups they are in and you could regex through that output for the group you are looking for. Use either the Execute Powershell or Execute Windows Command activity here.

 

2) Use powershell functions and powershell capability to check for group membership, something like this:

function Get-GroupMembership($DN,$group){
    $objEntry = [adsi]("LDAP://"+$DN)
    $objEntry.memberOf | where { $_ -match $group}
}

//EXAMPLE CALL

Get-GroupMembership "Cn=kazun,dc=contoso,dc=com" "Backup Operators"

 

Then you can regex through the output for the "True" or "False" word and run with that.

 

Either should get you what you want.

--Shaun Roberts shaurobe@cisco.com CIAC Adoption Pilot Engineering Lead
Cisco Employee

Thank you Shaun, it worked

Thank you Shaun, it worked like magic:)

Cisco Employee

Thank you Shaun, it worked

Thank you Shaun, it worked like magic:)

311
Views
0
Helpful
5
Replies
CreatePlease login to create content