How to query LDAP group membership with curl?

Question

I would like to use curl on the command line to check if a $USER is a member of the LDAP group $GROUP.

This works:

curl --user $CREDS \
     "ldaps://ldap.foo.com/DC=ads,DC=foo,DC=com??sub?(sAMAccountName=$USER)" \ 
   | grep -a "memberOf: CN=$GROUP,OU=Distribution,OU=Groups,DC=ads,DC=foo,DC=com"

Unfortunately, that call takes quite some time and it returns a lot of info that I am not interested in. Do you know if a more efficient way exists?

Answer 1

You could try :

curl --user $CREDS \
     "ldaps://ldap.foo.com/DC=ads,DC=foo,DC=com?memberOf?sub?(&(sAMAccountName=$USER)(memberOf=CN=$GROUP,OU=Distribution,OU=Groups,DC=ads,DC=foo,DC=com))"

Which will

• For the filter : retrieve only users who have sAMAccountName=$USER AND memberOf=CN=$GROUP,OU=Distribution,OU=Groups,DC=ads,DC=foo,DC=com (it will make the filtering server side than with your grep command on all the users attributes)

• For the memberOf addition (before the ?sub) specify that you want only the memberOf attribute to be retrieved.

  If the filter change did the trick, try to just retrieve the dn for example to limit the ouput, because if no attribute is specified, every attributes are returned

For more information : https://docs.oracle.com/cd/E19396-01/817-7616/ldurl.html