memberOf LDAP query failing from linux ldapsearch but works from ldp.exe

  • Last Post 08 December 2015
danj posted this 08 December 2015

Hi all   I have an AD group membership query which I'm executing from Linux (I am trying to use SSSD on RHEL 6.4 to authenticate users from Active Directory). From the SSSD logs the query is returning zero results, and when I run it from the same RHEL box with ldapsearch it also returns zero results:   ldapsearch -H ldap:// -Y GSSAPI -b "ou=users,ou=dev,dc=mycompany,dc=com" "(&(sAMAccountName=d-test2)(objectclass=user)(memberOf=CN=LOC-RHEL-Admins,OU=Security Groups,OU=Dev,DC=mycompany,DC=com))"

However run it from ldp.exe on windows using the same query and base and it returns the group members as expected. For the ldapsearch command GSSAPI and all other params are all fine; if I take out the memberOf clause it returns results, so it's just the memberOf bit that is failing.

Anyone know what is going on to cause this difference?   thanks   Dan

Order By: Standard | Newest | Votes
a-ko posted this 08 December 2015

Try escaping your filter. memberOf=CN=LOC-RHEL-Admins,OU=Security\ Groups,OU=Dev,DC=mycompany,DC=com  


danj posted this 08 December 2015

filter was OK, turns out the host principal the query was running as didn't have read permission to the memberOf attribute on users. In fact Authenticated Users doesn't have this right by default in the schema.



barkills posted this 08 December 2015

Yep. The default ACE that most users get that level of read permission comes from the ‘Pre-Windows 2000 Compatible Access’ group. Some organizations empty that

group, because a default read stance for data like memberOf really doesn’t make much sense, especially as the size of your organization grows.


We require an explicit request for an account to get that level of read access.