List, Search, and Sort in LDAP

This article demonstrates how to use the LDAP component to search and organize directory data. It covers how to retrieve users and groups, sort search results, and determine group memberships for a specific user using LDAP queries and attributes.

List All LDAP Users or Members

In LDAP directories, user accounts can be represented by multiple objectClasses. To retrieve a complete list of users or members, you need to search across all relevant objectClasses and specify which attributes to return for each entry.

For example:

ldap.DN = "dc=JUNGLE";
// specify the attributes you'd like returned for each search result
// if no attributes are specified, all attributes will be returned
ldap.Attributes.Add(new LDAPAttribute("displayName"));
ldap.Attributes.Add(new LDAPAttribute("name"));
ldap.Attributes.Add(new LDAPAttribute("cn"));
ldap.Attributes.Add(new LDAPAttribute("sn"));
ldap.Attributes.Add(new LDAPAttribute("givenName"));
ldap.Attributes.Add(new LDAPAttribute("ou"));
ldap.Attributes.Add(new LDAPAttribute("o"));
ldap.Attributes.Add(new LDAPAttribute("objectClass"));
ldap.Attributes.Add(new LDAPAttribute("userAccountControl"));
ldap.Attributes.Add(new LDAPAttribute("isAccountEnabled"));
ldap.Attributes.Add(new LDAPAttribute("loginDisabled"));
ldap.Attributes.Add(new LDAPAttribute("acctFlags"));
ldap.Attributes.Add(new LDAPAttribute("sambaAcctFlags"));
ldap.Search("(|(|(|(|(|(objectClass=user)(objectClass=posixAccount))
(objectClass=person))(objectClass=organizationalPerson))
(objectClass=inetOrgPerson))(objectClass=computer))");

This approach ensures that all users, regardless of the objectClasses used in the directory, are included in the search results.

List All LDAP Groups

In LDAP directories, group entries can belong to multiple objectClasses. To retrieve all groups, perform a search across all relevant group-related objectClasses and specify the attributes you want returned for each entry.

For example:

ldap.DN = "dc=JUNGLE";
// specify the attributes you'd like returned for each search result
// if no attributes are specified, all attributes will be returned
ldap.Attributes.Add(new LDAPAttribute("displayName"));
ldap.Attributes.Add(new LDAPAttribute("name"));
ldap.Attributes.Add(new LDAPAttribute("cn"));
ldap.Attributes.Add(new LDAPAttribute("ou"));
ldap.Attributes.Add(new LDAPAttribute("o"));
ldap.Attributes.Add(new LDAPAttribute("objectClass"));
ldap.Attributes.Add(new LDAPAttribute("member"));
ldap.Attributes.Add(new LDAPAttribute("memberUid"));
ldap.Attributes.Add(new LDAPAttribute("uniqueMember"));
ldap.Search("(|(|(|(objectClass=posixGroup)(objectClass=groupOfUniqueNames))
(objectClass=groupOfNames))(objectClass=group))");

This ensures that all groups in the directory, regardless of objectClasses, are included in the search results.

Sort LDAP Search Results

LDAP search results are not always returned in a specific order, but if the server supports sorting, you can control the order by specifying one or more attributes using the SortAttributes property before calling the Search method.

For example, to sort search results by the cn attribute:

// bind first, if necessary:
ldap.DN = "DOMAIN\\User";
ldap.Password = "mypassword";
ldap.Bind();
ldap.DN = "cn=Users,dc=JUNGLE";
ldap.SortAttributes = "cn";
ldap.Search("objectClass=*");

Find LDAP Groups for a User

To determine which groups a user belongs to, perform a search that filters on the user's membership attributes and includes all relevant group objectClasses. This ensures that the query captures every group entry associated with the user.

ldap.Search("(&(|(uniqueMember=CN=My Name,CN=Users,DC=DOMAIN)
(member=CN=My Name,CN=Users,DC=JUNGLE))(|(|(|
(objectClass=posixGroup)(objectClass=groupOfUniqueNames))
(objectClass=groupOfNames))(objectClass=group)))");

This query returns all group entries associated with the specified user.