Alex Chen wrote:

I want to make sure if a group already exist in the directory before a member is allowed to be added.

What does "already exist" exactly means in your application's context? If a certain entry does exist referenced by a DN? If a certain group name exists (whatever the group name attribute is in your context)?

I guess the API to use would be ldap_search_s (I want to sue synchronous search).

Yes.

What kind of filter syntax should I use?

The filter depends on the object class for the group which also depends on the group usage.

With OpenLDAP's slapd the most commonly used object class is 'groupOfNames'. Some use 'organizationalRole'. Other LDAP servers use different group schema.

To make it clear how many different group object classes are used in the wild here's the excerpt of my web2ldap's group admin mappings which maps the object class' name to the member attribute and the accompanying attribute in the member entry:

# The definitions for group entry administration groupadm_defs={ 'groupOfNames': ('member',None), 'groupOfUniqueNames': ('uniqueMember',None), 'organizationalRole': ('roleOccupant',None), 'rfc822MailGroup': ('mail','mail'), 'nisMailAlias': ('rfc822MailMember','mail'), 'mailGroup': ('mgrprfc822mailmember','mail'), # Found on IBM SecureWay Directory 'accessGroup': ('member',None), # RFC2370 'posixGroup': ('memberUid','uid'), 'nisNetgroup': ('memberNisNetgroup','uid'), # Samba 3.0 'sambaGroupMapping': ('sambaSIDList','sambaSID'), # Active Directory 'group': ('member',None), # draft-findlay-ldap-groupofentries 'groupOfEntries': ('member',None), },

Ciao, Michael.