locked
Reverse Group Lookup - LDAP RRS feed

  • Question

  • Hi Team,

    I have a query about difference between LDAP Group Lookup  and Reverse Group Lookup.

    Group lookup uses = member attribute and Reverse Group Lookup uses= memberof

    Reverse Group Lookup allows to search member instead of groups .. !! >>> ??

    But I cannot able to understand how it works.

    Regards,

    Dhruv Sharma

     

     

    Friday, January 21, 2011 1:03 PM

Answers

  • Hi Dhruv,

    When querying using the member attribute, were you successful? If so, you can substitute memberOf to do the reverse lookup. And keep in mind, a reverse lookup is just querying for members of a group such as this:

    (&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=cn=group3,ou=groups,dc= MYDOM1,dc=LOCAL))

    If you're just asking how it works, it's just an ldap query querying AD. As long as the query is properly formed, and you're logged on or providing credentials when binding to AD that can access that information (an administrator or similar account), it should work.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, January 22, 2011 10:32 PM

All replies

  • Hi Dhruv,

    When querying using the member attribute, were you successful? If so, you can substitute memberOf to do the reverse lookup. And keep in mind, a reverse lookup is just querying for members of a group such as this:

    (&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=cn=group3,ou=groups,dc= MYDOM1,dc=LOCAL))

    If you're just asking how it works, it's just an ldap query querying AD. As long as the query is properly formed, and you're logged on or providing credentials when binding to AD that can access that information (an administrator or similar account), it should work.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, January 22, 2011 10:32 PM
  • Hi Ace,

    Thank you for the reply. It is always nice to see your reply.. :- )

    What I can understand from your notes and from the TCP Dump I collected :

    Normal look up (member) :

     LDAP searchRequest(7) "cn=Group,ou=networks,dc=tanu,dc=com" baseObject

    Cn = group name

    Filter = (member=CN=Username,OU=networks,DC=tanu,DC=com)

    **************************************************

    Reverse Lookup (memberof) search for groups  

    LDAP searchRequest(7) "CN=ram,OU=Networks,DC=tanu,DC=com" baseObject

    Filter = (object class = *)

    *********************************************************

    From the TCP Dump it looks that Reverse Lookup is slow as it will search all the groups and OUs to find the users as it uses Filter = "*".

    Regards,

     

    Dhruv

     

     

     

    Monday, January 24, 2011 9:43 PM
  • You are correct, the reverse lookup is slow, because it must parse each Member. It is time consuming, especially in a large infrastructure. Probably the better solution would be a group dump, then parse the results file.

    And it's always nice to hear from you and try my best to offer assistance or at least converstation! :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, January 28, 2011 1:45 AM