I am developing an application that imports users and groups from Active Directory.
Base: CN = ivan ivanov, CN = Users, DC = perimetrix, DC = ru, Filter: (& (objectCategory = user) (objectClass = user) (userPrincipalName = *))
The Domain Users default group is not imported. However, if a user is in 2 or more groups on a domain controller, then the default group in which the user is composed is imported correctly.
If the user is only in the default group, then it is not imported.
How to import a default group?
The primary group is a bit different. It doesn't use the member attribute like normal group membership. The primaryGroupId attribute of the user contains the RID of the group (the RID is the last portion of the SID, after the last dash). In most cases, that is 513, the RID of the built-in Domain Users group.
You will have to show your code so we can see what you mean by "imported". It might be a quirk of the specific implementation you are using that isn't checking the primary group all the time.
I did write an article where I showed how to get a user's primary group. It's written in C#, but the principle is the same regardless of the language.
Related
Starting point:
I have a WebSphere with federated security (there is an Active Directory behind it).
I am trying to fetch a VMM user uid by his/her email address, but I a don't know how it's VMM (schema) attributes are mapped to the AD (schema) attributes of the underlying Active Directory entity (person, organizationalPerson objectClass, mail attribute.
(By describing it in a different way: If one have a look at the WAS console, in the "Users and Groups" -> "Manage Users" there is a table where there is an E-Mail column, so it is somehow mapped.
But, by clicking on the ( "Global Security" -> "(federated repositories) configure button" -> (there is a table, you can select the)) LDAP1 row, and checking the table in "Federated repositories property names to LDAP attributes mapping", I don't find that the 'E-Mail' column how has been mapped to the AD attribute. Maybe there is an implicit mapping?)
So, the starting question is this:
How to find this on the WAS console? Or, maybe via wsadmin (scripts)?
So, because of this, I tried to move forward and now I would try to find it using the VMM API, but I don't find in the official documentation the answer to the second question:
Is it possible to fetch somehow the assigned / available attributes of an WebSphere VMM entity (Virtual member manager)?
There is a lot of examples about how to fetch the attributes when you know their name, but there is nothing about this...
Yes, I know that is is a bit XY problem, but please guide me a bit.
Many thanks in advance.
To provide some code sample too, I am trying to fetch the user's uid by using the following code:
public String testFetch(String email) throws Exception
{
String returnAttr = "uid";
// here in the search expression what should I wrire instead of the 'mail'?
String vmmSearchExpr = String.format("#xsi:type='PersonAccount' and mail='%s'", email);
DataObject root = SDOHelper.createRootDataObject();
DataObject searchCtrl = SDOHelper.createControlDataObject(root, null, SchemaConstants.DO_SEARCH_CONTROL);
searchCtrl.setString(SchemaConstants.PROP_SEARCH_EXPRESSION, vmmSearchExpr);
#SuppressWarnings("unchecked")
List<String> props = searchCtrl.getList(SchemaConstants.PROP_PROPERTIES);
props.add(returnAttr);
Service service = new LocalServiceProvider(null);
DataObject searchRoot = service.search(root);
String result = "";
List<?> entities = searchRoot.getList(SchemaConstants.DO_ENTITIES);
if (entities.size() > 1) throw new RuntimeException("multiple users for an identity:" + vmmSearchExpr);
if (entities.size() > 0)
{
DataObject objdo = (DataObject) entities.get(0);
result = objdo.getString(returnAttr);
}else{
log("Got empty list There is no result.");
}
return result;
}
A possible solution is to add a new federal repository supported property (Name: mail, Property name: mail, Entity types: PersonAccount):
After a WAS restart I was able to use the search expression
#xsi:type='PersonAccount' and mail='<email address>'
and the code above to fetch the corresponding uid to the given email address.
It seems there is some info in the c:\IBM\WebSphere\AppServer\etc\wim\setup\wimdbproperties.xml, as if the "ibm-primaryEmail" would be the property that contains the email address, albeit I was not able to find my uid when I specified this instead of the "mail" attribute name.
This filterString gets all AD users from a specific AD group, I need to change this to get ALL users from ALL groups in my organization. I have read through dozens of similar questions and changed this string around several times and cannot find the solution.
String filterString = "(&(objectCategory=user)(memberOf=cn=" + this.ldapUserSearch + ",ou=Groups,OU=Organization,dc=organizationsoftware,dc=com))";
You can try the following filter, which includes an attribute presence clause:
(&(objectCategory=user)(memberOf=*))
This will return every user whose memberOf attribute is set to any value. This should have the effect of retrieving all users from all groups.
I need to find the member of groups of a given user in Microsoft active directory using java inside the Domain Users group. My AD structure is below.
reg1.subdomain.domain.com
-Users (Type - Container)
- Domain Users (Type - Security Group Global)
I wrote the below code. But I was unable to query the users inside Domain Users group.
public static String ldapUri = "ldap://ldapuri.com:389";
public static String usersContainer = "CN=users,DC=reg1,DC=subdomain,DC=domain,DC=com";
public ArrayList<String> getUserGroups(String username, String password){
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapUri);
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
try {
DirContext ctx = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
String[] attrIDs = { "memberOf" };
ctls.setReturningAttributes(attrIDs);
ctls.setSearchScope(SearchControls.ONELEVEL_SCOPE);
NamingEnumeration answer = ctx.search(usersContainer, "(&(objectCategory=group)(cn=Domain Users)(sAMAccountName=username))", ctls);
while (answer.hasMore()) {
SearchResult rslt = (SearchResult) answer.next();
Attributes attrs = rslt.getAttributes();
try{
String groups = attrs.get("memberOf").toString();
String [] groupname = groups.split(":");
System.out.println(groupname[1]);
}catch (Exception e){
System.out.println("no members");
}
}
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
return list;
}
Can someone please point out what's wrong with the filter query I have added?
The Domain Users group is a A Global Group Security Group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
Most methods do not reveal membership in the "primary" group. For most users, the "primary" group would be "Domain Users". Specifically, the memberOf attribute of user objects, and the member attribute of group objects, never reveals "primary" group membership. In most domains, the member attribute of the "Domain Users" group is empty, and it is safe to assume that all users belong to this group.
Domain Users LDAP Query Examples for all users that have "Domain Users" designated as their "primary", search for all users whose primaryGroupID attribute is 513 (by default). The primaryGroupID attribute of the group "Domain Users" is the same integer, 513. The LDAP syntax LDAP SearchFilter could be:
(primaryGroupID=513)
This ASSUMES you have not changed the Defaults and not created any users which have a primaryGroupID that is NOT 513.
For users within the "Domain Users" group JUST use (primaryGroupID=513) and the baseDN where the users are (CN=Users by default) which will return the DN of the users.
Then to get ALL the groups that these Users are a membeOf you will need to loop through the results using the DN in another query similer to:
(member:1.2.840.113556.1.4.1941:=(CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET))
As shown All Groups a User is a member of including Nested Groups
Oh and normally, the users within CN=Users will also USUALLY be the same as the members within the pseudo-group "Domain Users".
Assuming the base usersContainer is set correctly, you just need to change the filter as follows :
Searching for a user entry, you need to fix objectCategory to filter users - not groups. You may also use an equivalent like objectClass=inetOrgPerson.
Unless the user entry you are searching for actually really has the attribute cn=Domain Users (which is rather unlikely as a user's common name), you don't need this part.
So the following should be sufficient :
ctx.search(usersContainer, "(&(objectCategory=person)(sAMAccountName=username))", ctls);
To match specific user group membership(s) you would just add filter(s) on the memberOf attribute (returns matching user entry only if user is memberOf the given group), eg. :
(&(objectCategory=person)(sAMAccountName=username)(memberOf=<groupDN>))
Note as #jwilleke stated that if you target special groups that don't maintain membership attributes (group:member/user:memberOf), you need to use primaryGroupID instead of memberOf.
That said, since sAMAccountName is unique among all security principal objects within the domain, instead of adding a filter you may just need to use UserPrincipalName :
(&(objectCategory=person)(UserPrincipalName=username#domain.com))
the given code snippet above is correct except the searching method that I have specified. I was not able to search the users inside Domain Users group from Users container because I have not mentioned to search in sub directories. By adding search scope to,
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
it was able to successfully retrieve the users
I'm trying to get all users of a specific user group. I'm doing this in java, I can connect to ldap and get results from different queries. However I've searched to find solution but as far as I can tell the LDAP of my workplace is structured differently than what seems normal.
dn of users:
ou=Users,O=MYCOMPANY.COM
dn of the user group:
cn=Admin,ou=Profiles,ou=MYAPP,ou=Applirights,O=MYCOMPANY.COM
For the user group, cn is the privilege level / group name (Admin) and the name of the application is in an organisational unit. With this structure, how would I query for all users in this specific group?
I tried:
NamingEnumeration<?> namingEnum = ctx.search("ou=Users,O=MYCOMPANY.COM", "(cn=Admin,ou=Profiles,ou=MYAPP,ou=Applirights,O=MYCOMPANY.COM)", searchControls);
However what attributes would need to be in search controls? I use uid which is the users login name.
I also tried whats outlined here:
(&(objectCategory=user)(memberOf=cn=Admin,ou=MYAPP,ou=Applirights,O=MYCOMPANY.COM))
Nothing works and with that, I mean I get 0 results but no error. How can I achieve this with the given organisation of ldap?
Groups have something called memberOf:
So try this:
search -s sub -b "DC=whatever,DC=mydomain,DC=com" "(&(objectCategory=user)(memberOf=CN=GROUP,DC=whatever,DC=mydomain,DC=com))"
you fill in whatever mydomain and GROUP above ^
What attributes would need to be in search controls?
The attributes listed in searchControls are the ones you want returned. The one containing the group members. Depending on what objectClass the group object is, it might be:
uniqueMember for groupOfUniqueNames
roleOccupant for organizationalRole
and so forth.
I am new at Sun Java System Messaging Server 6.3. I am managing my e-mail users and group via ldapbrowser version 2.8.2.
I want to exclude a particular user from people group.
I found the below string in people group's configuration:
memberURL: ldap:///o=domain.com,dc=domain,dc=com??sub?(&(Employeenumber=*)(InetUserStatus=active))
The definition of the 'People' group is:
Within ldap:///o=domain.com,dc=domain,dc=com, where the attribute Employeenumber is present (Employeenumber=*), and the attribute InetUserStatus has the value active (InetUserStatus=active).
So, if you want to exclude someone, you need and attribute to match, and the value to exclude and construct the LDAP search filter that matches this, and update the filter (&(Employeenumber=*)(InetUserStatus=active)) to correspond to this.
so, if they were Employeenumber 55, then you don't want them in the list, so the condition for this is !(Employeenumber=55), so you need to plug this into the selection condition as:
(&(&(Employeenumber=*)(InetUserStatus=active))(!(Employeenumber=55)))
If you wanted to filter a second user (e.g. Employeenumber 99 as well, then it becomes:
(&(&(&(Employeenumber=*)(InetUserStatus=active))(!(Employeenumber=55)))(!(Employeenumber=99)))
You can see how this will get very complicated very quickly.