Check if user is part of an AD group from bash




Is there a way for me to check if a user is part of an AD group from bash?

As an added level of difficulty, this check would not be made on the UCS AD controller itself, but on a UCS file server, which is a member of the domain.




Just as a short hint: ldapsearch is the tool you will need. It can connect to a remote server with given credentials and displays the LDAP entries you need.



Hi @gbr

a good try would be

univention-ldapsearch -LLL "(uniqueMember=$( univention-ldapsearch -LLLo ldif-wrap=no uid=<USERNAME> dn | sed -ne 's/dn: //p' ))" dn | sed '/^$/d'

kind regards


Hi @stoeckigt

That works like a charm, until I throw it in a bash script. My bash skills are not the best, so maybe I’m missing something simple…

 univention-ldapsearch -LLL "(uniqueMember=$( univention-ldapsearch -LLLo ldif-wrap=no uid=$D dn | sed -ne 's/dn: //p' ))" dn

I believe it’s not expanding the $D (user name) properly, but I don;t really know.



SO, I simplified it, but it still does work when I use a variable for uid

univention-ldapsearch -LLL uniqueMember=uid=$NAME,cn=users,dc=test,dc=com dn

If I replace $NAME with gbr, it works fine.



Ah, my bad. The name had a leading 2 charcaters I had to get rid of first.



You should really add -o ldif-wrap=no in each invocation of univention-ldapsearch if you’re scripting stuff; otherwise long lines including those containing the DN may get wrapped such as this one:

dn: uid=kunden-test,cn=Funktionsaccounts,cn=users,dc=bs,dc=my-compan

Kind regards,


@Moritz_Bunkus Thanks! Done!