Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MS AD group of groups #4

Open
AlexSamad opened this issue Jan 4, 2022 · 2 comments
Open

MS AD group of groups #4

AlexSamad opened this issue Jan 4, 2022 · 2 comments

Comments

@AlexSamad
Copy link

Hi

https://ldapwiki.com/wiki/Active%20Directory%20Group%20Related%20Searches
example
(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)

My MS AD group is made up of groups !

tested your script and it added in my groups ! :)

you can do 2 things, instead of taking the name of the group, ask for the DN

the instead of looking for member of the group do this

ldapsearch -x -o ldif-wrap=no -H -D "" -w XXX -b "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=))" -LLL dn mail

-LLL reduces the noise
make sure you only get users
and show only users who are members of the group
@AlexSamad
Copy link
Author

AlexSamad commented Jan 5, 2022
edited 

--- a/site/role/files/ybzabbix/server/zabbix-ldap-sync.sh
+++ b/site/role/files/ybzabbix/server/zabbix-ldap-sync.sh
@@ -423,33 +423,33 @@ if [ LDAP_Ignore_SSL_Certificate = "false" ]; then
     # normal ldapsearch call
     if [ "$b_verbose" = "true" ]; then
         if [ "$b_showpasswords" = "true" ]; then
-            echo 'ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "'$LDAP_Bind_User_Password'" -b "'$LDAP_SearchBase'" "(&(objectClass=group)(cn="'$LDAP_Groupname_for_Sync'"))"'
+            echo 'ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "'$LDAP_Bind_User_Password'" -b "'$LDAP_SearchBase'" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:='$LDAP_Groupname_for_Sync'))"'
         else
-            echo 'ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "***********" -b "'$LDAP_SearchBase'" "(&(objectClass=group)(cn="'$LDAP_Groupname_for_Sync'"))"'
+            echo 'ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "***********" -b "'$LDAP_SearchBase'" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:='$LDAP_Groupname_for_Sync'))"'
         fi
     fi
     # yes, ldapsearch is called twice - first time without grep to catch the exitcode, 2. time to catch the content
-    tempvar=`ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectClass=group)(cn=$LDAP_Groupname_for_Sync))" o member`
+    tempvar=`ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=$LDAP_Groupname_for_Sync))" -LLL dn`
     ldapsearch_exitcode="$?"
     if [ "$b_verbose" = "true" ]; then echo "ldapsearch_exitcode: $ldapsearch_exitcode"; fi
-    tempvar=`ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectClass=group)(cn=$LDAP_Groupname_for_Sync))" o member | grep member:`
+    tempvar=`ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=$LDAP_Groupname_for_Sync))" -LLL dn | grep dn:`
 else
     # ignore SSL ldapsearch
     if [ "$b_verbose" = "true" ]; then
         if [ "$b_showpasswords" = "true" ]; then
-            echo 'LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "'$LDAP_Bind_User_Password'" -b "'$LDAP_SearchBase'" "(&(objectClass=group)(cn='$LDAP_Groupname_for_Sync'))" o member'
+            echo 'LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "'$LDAP_Bind_User_Password'" -b "'$LDAP_SearchBase'" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:='$LDAP_Groupname_for_Sync'))" -LLL dn'
         else
-            echo 'LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "***********" -b "'$LDAP_SearchBase'" "(&(objectClass=group)(cn='$LDAP_Groupname_for_Sync'))" o member'
+            echo 'LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "***********" -b "'$LDAP_SearchBase'" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:='$LDAP_Groupname_for_Sync'))" -LLL dn'
         fi
     fi
     # yes, ldapsearch is called twice - first time without grep to catch the exitcode, 2. time to catch the content
-    tempvar=`LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectClass=group)(cn=$LDAP_Groupname_for_Sync))" o member`
+    tempvar=`LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=$LDAP_Groupname_for_Sync))" -LLL dn`
     ldapsearch_exitcode="$?"
     if [ "$b_verbose" = "true" ]; then echo "ldapsearch_exitcode: $ldapsearch_exitcode"; fi
-    tempvar=`LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectClass=group)(cn=$LDAP_Groupname_for_Sync))" o member | grep member:`
+    tempvar=`LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=$LDAP_Groupname_for_Sync))" -LLL dn | grep dn:`
 fi
 if [ "$b_verbose" = "true" ]; then
-    echo 'Result ldapsearch (with "grep member:" : '"$tempvar"
+    echo 'Result ldapsearch (with "grep dn:" : '"$tempvar"
     echo "Exitcode ldapsearch: $(Translate_ldapsearch_exitcode $ldapsearch_exitcode)"
 fi
 # only continue if ldapsearch was succesfull
@@ -458,7 +458,7 @@ if [ "$ldapsearch_exitcode" -eq 0 ];then
     LDAP_ARRAY_Members_DN=()
     for (( i=0; i < ${#LDAP_ARRAY_Members_RAW[*]}; i++ )); do
         # Search for the word "member:" in Array - the next value is the DN of a Member
-        if [ "${LDAP_ARRAY_Members_RAW[$i]:0:7}" = "member:" ]; then
+        if [ "${LDAP_ARRAY_Members_RAW[$i]:0:3}" = "dn:" ]; then
             i=$(($i + 1))
             LDAP_ARRAY_Members_DN+=("${LDAP_ARRAY_Members_RAW[$i]}") # add new Item to the end of the array
         else
@@ -800,7 +800,7 @@ if [ "$b_verbose" = "true" ]; then
     printf " $ZABBIX_API_URL"
 fi
 tempvar=`curl -k -s -X POST -H "Content-Type:application/json"  -d '{"jsonrpc": "2.0","method":"user.get","params":{"usrgrpids":"'$ZABBIX_LDAP_Group_UsrGrpId'","output":["alias","userid"]},"id":42,"auth":"'$ZABBIX_authentication_token'"}' $ZABBIX_API_URL`
-if [ "$b_verbose" = "true" ]; then echo $tempvar; fi
+if [ "$b_verbose" = "true" ]; then echo ; echo $tempvar; echo ;fi

@BernhardLinz
Copy link
Owner

I try your changes but did not work in my enviroment, i get no Objects back from ldapsearch
cloud you please send me a copy of your script version or make it downloadable for me?
bernhard@znil.de

Thx

Turmio added a commit to Turmio/zabbix-ldap-sync-bash that referenced this issue Aug 24, 2022
@Turmio
Support for nested groups (AD)
f55d282 
Fixes BernhardLinz#4.

When using nested group search, full path to group must be provided.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlexSamad @BernhardLinz