Get members of a group who are not deactivated


I have a python script that gets a list of UIDs of members of a group like this

ldap_server = ""
ldap_base = "cn=" + group + ",cn=groups,dc=office,dc=domain,dc=co,dc=uk"

con = ldap.initialize("ldap://" + ldap_server + ":7389")
s = con.simple_bind_s("uid=" + username + ",cn=users,dc=office,dc=domain,dc=co,dc=uk", password)
result = con.search_s(ldap_base, ldap.SCOPE_BASE, filter_str)

How do I exclude people who have deactivated accounts from appearing in this search?

I have found this ldapsearch filter works to give me a list of all the active users

univention-ldapsearch -LLL '(&(objectClass=person)(mailPrimaryAddress=*)(!(krb5KDCFlags:1.2.840.113556.1.4.803:=128))(!(shadowExpire=*))(!(sambaAcctFlags=[UL       ]))(!(sambaAcctFlags=[UD       ])))' uid

but I can’t see how to make it work in the python script – or how to limit to one group using ldapsearch.

many thanks, Julian