Get info from our directory service

List all members of a group

There is no special command available in macOS listing all members of a particular user group. However, we can utilize the general-purpose directory service command line utility dscl.

Find out the group name we are interested in

First of all, we need to know the directory service name of the group we are interested in. A list of groups known to our Active Directory can be generated via

for group in `dscl "/Active Directory/CPFS/All Domains" -list /Groups`; do
	dscl "/Active Directory/CPFS/All Domains" \
	-read "/Groups/$group" distinguishedName info 2>/dev/null;
done

perhaps piped into more.

Get the list of users

Let’s say we want to know the list of users of a particular group. From above, we learn by inspection of the info attributes that the AD group name presumably is CPFS-pq (first component of the distinguishedName attribute). The users list is stored in the member attribute of its group record. The command

dscl "/Active Directory/CPFS/All Domains" -read "/Groups/CPFS-pq" \
	distinguishedName member

returns the DS distinguished name of the group record and a list of its users. The form of the CN entries is a bit crude, but that’s easy to parse into a different form, for example like this:

dscl "/Active Directory/CPFS/All Domains" -read "/Groups/CPFS-pq" \
	distinguishedName member | sed 's/CN=\(.*\),OU=.*/\1/g' \
	| sed 's/,OU=.*//g' | sort | sed 's/\(.*\)\\,\(.*\)/\2\1/g'

Get e-mail addresses for a list of names

Assume we now have a list of users to each of which we want to send an e-mail. There is an attribute mail in each user record stored in our directory service, so let’s search for that. The family name of a user is stored in the sn attribute.

Unfortunately dscl doesn’t allow for searches using wildcard entries or regular expressions, so we have to rely on another tool especially built for that, ldapsearch. Constructing a loop around the namelist (names in the form given name, family name) we may end up with

for name in `cat namelist.csv |awk -F, '{print $2}'`;
do
	ldapsearch -LLL -H ldap://dc0.cpfs.mpg.de -x -W -D "username@cpfs.mpg.de" \
	  -b "DC=cpfs,DC=mpg,DC=de" "(sn=*${name}*)" mail;
done

(replace username with your own username) which returns a list of matching records. Note that you will be asked for a password to access our LDAP servers. The records returned each are of the form

dn: CN=Family Name\, GivenName,OU=Department,OU=ResearchArea,DC=cpfs,DC=mpg,DC=de
mail: GivenName.FamilyName@cpfs.mpg.de

separated by blank lines, together with comments (lines starting with #) from ldapsearch which can easily be grepped away.

Get e-mail addresses for members of a specific group

Alternative: Only one LDAP query,

ldapsearch \
  -LLL \
  -H ldap://dc0.cpfs.mpg.de \
  -x \
  -W \
  -D "username@cpfs.mpg.de" \
  -b "DC=cpfs,DC=mpg,DC=de" \
  "(&(objectCategory=Person)(memberOf=CN=CPFS-pq,OU=closed_lists,OU=LISTS,OU=EDV,DC=cpfs,DC=mpg,DC=de))" \
  displayName mail

will return a list of users of the group sought before, three lines each: distinguished name (always returned), display name, e-mail address.