This article describes the steps to verify Active Directory user group membership in the shell. It illustrates how to pull group membership information directly from the authenticating domain controller, as well as how to list the cached group membership stored on the appliance. The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM
Using ldapsearch, we can query Active Directory for group membership information.
The command is as follow:
ldapsearch -x -w password -h server -D "bind DN" -b "base DN" "(objectclass=*)"
-w: domain admin password.
-D: bind DN of the domain admin account.
-b: base DN of the group you're searching.
For example, if we want to list the members of the Employees group, we would use the following:
ldapsearch -x -w Passw0rd! -h 192.168.3.10 -D "CN=Administrator,CN=Users,DC=linuxlab,DC=com" -b "CN=Employees,CN=Users,DC=linuxlab,DC=com" "(objectclass=*)"
Output is as follows:
Note: To simplify the results output of the command you can add | grep member to the end of the line.
| grep member
ldapsearch -x -w Sophos1985 -h 192.168.2.10 -D "CN=Administrator,CN=Users,DC=linuxlab,DC=com" -b "CN=Employees,CN=Users,DC=linuxlab,DC=com" "(objectclass=*)" | grep member
This will result in only members of the group being shown in the command output:
To list the cached members of a group on Sophos UTM, we can use the wbinfo command:
wbinfo --group-info=(domain group)
Searching the same group we used in the previous example (Employees), the command would be:
The output of the command is straight forward:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.