The tokenGroups attribute is a special constructed attribute that can only be returned on a base level search due to computational complexity of populating the information on the server side.

  joe

--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net



On Thu, Dec 20, 2012 at 9:54 PM, ctosgh <ctosgh@126.com> wrote:
Hi, World
I have one question about my recent work on LDAP.
Why I can't get tokenGroups back but can get other attributes back with following search against an AD server?
[root@fc11-lab ~]# ldapsearch -x -D "cn=admin,cn=Users,dc=jacky,dc=org,dc=cn" -b "cn=Users,dc=jacky,dc=org,dc=cn" -w 11111111 -H "ldap://x.x.x.x:389" "sAMAccountName=user1" cn whenChanged userPrincipalName tokenGroups
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=jacky,dc=org,dc=cn> with scope subtree
# filter: sAMAccountName=user1
# requesting: cn whenChanged userPrincipalName tokenGroups
#
# search result
search: 2
result: 1 Operations error
text: 00002120: SvcErr: DSID-03140293, problem 5012 (DIR_ERROR), data 0
# numResponses: 1
 
 
However, if I do NOT request tokenGroups ! attribute I get a successful response.
[root@fc11-lab ~]# ldapsearch -x -D "cn=admin,cn=Users,dc=jacky,dc=org,dc=cn" -b "cn=Users,dc=jacky,dc=org,dc=cn" -w 11111111 -H "ldap://x.x.x.x:389" "sAMAccountName=user1" cn whenChanged userPrincipalName
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=jacky,dc=org,dc=cn> with scope subtree
# filter: sAMAccountName=user1
# requesting: cn whenChanged userPrincipalName
#
# user1, Users, jacky.org.cn
dn: CN=user1,CN=Users,DC=jacky,DC=org,DC=cn
cn: user1
whenChanged: 20121221012448.0Z
userPrincipalName: user1@jacky.org.cn
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
 
 
I do see entry "CN=user1,CN=Users,DC=jacky,DC=org,DC=cn" has the attribute tokenGroups on AD.

Any thoughs? TIA

Th! anks,
Jacky