The tokenGroups attribute is a special constructed attribute that can only be returned on a base level search due to computational complexity of populating the information on the server side.
joe
-- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm Blog: http://blog.joeware.net
On Thu, Dec 20, 2012 at 9:54 PM, ctosgh ctosgh@126.com wrote:
Hi, World I have one question about my recent work on LDAP. Why I can't get tokenGroups back but can get other attributes back with following search against an AD server? [root@fc11-lab ~]# ldapsearch -x -D "cn=admin,cn=Users,dc=jacky,dc=org,dc=cn" -b "cn=Users,dc=jacky,dc=org,dc=cn" -w 11111111 -H "ldap://x.x.x.x:389" "sAMAccountName=user1" cn whenChanged userPrincipalName tokenGroups # extended LDIF # # LDAPv3 # base <cn=Users,dc=jacky,dc=org,dc=cn> with scope subtree # filter: sAMAccountName=user1 # requesting: cn whenChanged userPrincipalName tokenGroups # # search result search: 2 result: 1 Operations error text: 00002120: SvcErr: DSID-03140293, problem 5012 (DIR_ERROR), data 0 # numResponses: 1
However, if I do NOT request tokenGroups ! attribute I get a successful response. [root@fc11-lab ~]# ldapsearch -x -D "cn=admin,cn=Users,dc=jacky,dc=org,dc=cn" -b "cn=Users,dc=jacky,dc=org,dc=cn" -w 11111111 -H "ldap://x.x.x.x:389" "sAMAccountName=user1" cn whenChanged userPrincipalName # extended LDIF # # LDAPv3 # base <cn=Users,dc=jacky,dc=org,dc=cn> with scope subtree # filter: sAMAccountName=user1 # requesting: cn whenChanged userPrincipalName # # user1, Users, jacky.org.cn dn: CN=user1,CN=Users,DC=jacky,DC=org,DC=cn cn: user1 whenChanged: 20121221012448.0Z userPrincipalName: user1@jacky.org.cn # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
I do see entry "CN=user1,CN=Users,DC=jacky,DC=org,DC=cn" has the attribute tokenGroups on AD.
Any thoughs? TIA
Th! anks, Jacky