Check if user is part of an AD group from bash


Is there a way for me to check if a user is part of an AD group from bash?

As an added level of difficulty, this check would not be made on the UCS AD controller itself, but on a UCS file server, which is a member of the domain.



Just as a short hint: ldapsearch is the tool you will need. It can connect to a remote server with given credentials and displays the LDAP entries you need.


Hi @gbr

a good try would be

univention-ldapsearch -LLL "(uniqueMember=$( univention-ldapsearch -LLLo ldif-wrap=no uid=<USERNAME> dn | sed -ne 's/dn: //p' ))" dn | sed '/^$/d'

kind regards

Hi @stoeckigt

That works like a charm, until I throw it in a bash script. My bash skills are not the best, so maybe I’m missing something simple…

 univention-ldapsearch -LLL "(uniqueMember=$( univention-ldapsearch -LLLo ldif-wrap=no uid=$D dn | sed -ne 's/dn: //p' ))" dn

I believe it’s not expanding the $D (user name) properly, but I don;t really know.


SO, I simplified it, but it still does work when I use a variable for uid

univention-ldapsearch -LLL uniqueMember=uid=$NAME,cn=users,dc=test,dc=com dn

If I replace $NAME with gbr, it works fine.


Ah, my bad. The name had a leading 2 charcaters I had to get rid of first.


You should really add -o ldif-wrap=no in each invocation of univention-ldapsearch if you’re scripting stuff; otherwise long lines including those containing the DN may get wrapped such as this one:

dn: uid=kunden-test,cn=Funktionsaccounts,cn=users,dc=bs,dc=my-compan

Kind regards,

@Moritz_Bunkus Thanks! Done!