Is there a way for me to check if a user is part of an AD group from bash?
As an added level of difficulty, this check would not be made on the UCS AD controller itself, but on a UCS file server, which is a member of the domain.
Just as a short hint: ldapsearch is the tool you will need. It can connect to a remote server with given credentials and displays the LDAP entries you need.
a good try would be
univention-ldapsearch -LLL "(uniqueMember=$( univention-ldapsearch -LLLo ldif-wrap=no uid=<USERNAME> dn | sed -ne 's/dn: //p' ))" dn | sed '/^$/d'
That works like a charm, until I throw it in a bash script. My bash skills are not the best, so maybe I’m missing something simple…
univention-ldapsearch -LLL "(uniqueMember=$( univention-ldapsearch -LLLo ldif-wrap=no uid=$D dn | sed -ne 's/dn: //p' ))" dn
I believe it’s not expanding the $D (user name) properly, but I don;t really know.
SO, I simplified it, but it still does work when I use a variable for uid
univention-ldapsearch -LLL uniqueMember=uid=$NAME,cn=users,dc=test,dc=com dn
If I replace $NAME with gbr, it works fine.
Ah, my bad. The name had a leading 2 charcaters I had to get rid of first.
You should really add -o ldif-wrap=no in each invocation of univention-ldapsearch if you’re scripting stuff; otherwise long lines including those containing the DN may get wrapped such as this one:
@Moritz_Bunkus Thanks! Done!