This script will determine if a given user is a member of a given group (including situations where the user is a member of another group, but that group is a member of the given group).
perl isMember.pl -n "Acounting Managers" -u scarter scarter is a member of group Acounting Managers
I've attached isMember.pl.
You pass it a group name (e.g. "Accounting Managers") and a user id (e.g. "scarter"). It then tells you if scarter is a member of the group Accounting Managers.
It assumes that the group name is stored as a value of the cn attribute and that the group is a type of object class groupOfUniqueNames or groupOfUrls.
The user name is assumed to be stored as a value of the uid attribute.
A membership requirement is met if: a) the DN of the scarter (e.g. user) entry is stored as a value of uniquemember attribute of the Accounting Managers (e.g. group) entry. b) the group is a dynamic group (supported in Netscape Directory server) and the member meets the search filter criteria
It will return if one of the following conditions are met:
a) scarter (e.g. user entry) is a member of the group Accounting Managers (e.g. original group) b) scarter (e.g. user entry) is a member of a group who is a member of Accounting Managers (e.g. original group) c) Accounting Managers (e.g. original group) is a Netscape dynamic group ;and scarter entry can be retrieved using the search filter of the dynamic group URL.
I'm open to suggestions and/or critiques. I've hacked on this code long enough, it probably needs a good cleaning, but I'll need some more eyeballs on it since I've reached that point where the code is in my head & not necessarily exactly as is on paper.
This script now requires the URI package to work (you need this package to interact with Netscape Dynamic Groups). If you don't need the dynamic group support, remove all of the dynamic group stuff and then you don't need the URI package.
Note about Netscape Dynamic Groups: Netscape Dynamic Groups are supported in Netscape Directory Server 4 and later. They are objectclass of groupofurls entries, who's memberurls attribute contains LDAP search URLs. If an entry matches the search filter in the URL, then that entry is considered to be a member of the group.
By managing groups this way instead of as values in a member attribute, you can scale group memberships to the thousands if not millions. Otherwise you're limited to about 14,000 members (which would be a very big pain to manage). By using a search filter, all you have to do to remove a member, is to make the offending entry, not match the search filter anymore (e.g. change the attribute value in the entry or remove the entry), as opposed as to having to go find each group and remove the entry's dn from the member attribute and then re-add all of the still valid member values back to the group entry.
As far as I know this is the first independent script to appear to support Netscape Dynamic groups.
I'm next going to add dynamic group support to printMembers.pl
Hope y'all find this useful.
Hi, Here is an update to the isMember.pl script that I submitted last week. As per the suggestion of Chris Ridd, the script returns true if the user is a member of a group who is a member of the original group. I've tested this down to 2 sub-group levels (e.g. user is a member of group C which is a member of group B which is a member of the original group, group A)
My next option to add is support of Netscape Dynamic Groups.
Here's a small list of the other things that I'm working on (and hopefully will be able to submit to the list, some of them are for work and may not be able to be released, but since I work for a university I don't think there will be a problem):
1) script to add/remove members to a group 2) script to send mail to a list as long as the orignal email address is from the owner of the group 3) a web LDAP management system. I've written a bare bones one in Netscape's PerLDAP API, but I'd like to write something closer to Netscape's Directory Server gateway that could possibly combine in Text::Template for display & development. If someone would like to help with this, let me know. I need it for work, so I'm going to do it (and rather soon since it needs to be operational by end of September at the latest).
Here's my first draft on a new script that I'd like to submit for an example script (or at least for general use) for Net::LDAP.
It's called isMember.pl. What it does is tell you if a given user is a member of a particular group. You specify the group name and username on the command line (and you can also specify the other common LDAP options such as host, binding credentials etc via the command line as well).
Here is an example of how to use it and output: perl isMember.pl -n "Acounting Managers" -u scarter scarter is a member of group Acounting Managers
The script assumes that you make the DN of your groups with the cn attribute (e.g. cn=Accounting Managers, ...) and that the group is of object class groupOfUniqueNames. You can of course modify the script for your own use. While I tested it with Netscape DS 4, it should work with any LDAP server (e.g. I'm not relying on anything funky like dynamic groups).
And of course Your Mileage May Vary.