Unless your an LDAP expert it’s not obvious how to find the groups a user is a member of, and that also describes how you need to tackle this problem.

This code makes a lot of assumptions and also assumes that a user’s UID is named ‘uid’.

	LDAP_SERVER = "ldaps://my-ldap-server.com/"
	LDAP_BASE = "dc=my-ldap-server,dc=com"
	def users_ldap_groups(uid):
	""" Returns a list of the groups that the uid is a member of.
	Returns False if it can't find the uid or throws an exception.
	It's up to the caller to ensure that the UID they're using exists!
	"""
	logger.debug("uid: ", uid)
	# ignore certificate errors
	ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
	l = ldap.initialize(LDAP_SERVER)
	# this search for all objectClasses that user is in.
	# change this to suit your LDAP schema
	search_filter='(|(&(objectClass=*)(member=uid=%s,cn=users,cn=accounts,dc=my-ldap-server,dc=com)))' % uid
	try:
	# this returns the groups!
	results = l.search_s(LDAP_BASE, ldap.SCOPE_SUBTREE, search_filter, ['cn',])
	logger.debug('%s groups: %s' % (uid, results) )
	return results
	except ldap.NO_SUCH_OBJECT as e:
	logger.error("{}:{}unable to lookup uid {} on LDAP server {}: {}".format(__file__, sys._getframe().f_code.co_name, uid, LDAP_SERVER, e))
	return False
	except Exception as e: # some other error occured
	logger.error("{}:{}: other error occurred looking up {} in LDAP: {}".format(__file__, sys._getframe().f_code.co_name,uid,e))
	return False
	# shouldn't get here, but if we do, we don't have any results!
	return False

view raw gistfile1.py hosted with by GitHub

If there’s a better way to do this, let me know.

References:
This thread on the Python-LDAP mailing list was quite useful:

• http://sourceforge.net/p/python-ldap/mailman/message/19636166/
• Photo is one I took in 2007 at Fort Point in Boston.