#!/bin/bash
 
# Skript um eine Benutzerliste einer AD-Gruppe via LDAP abzurufen (rekursiv) #######################
#
# Stand 16. Nov. 2010
# Heiko Barth
 
ldapUser='cn=foo,ou=bar,ou=barfoo,dc=dom,dc=local'
ldapPass='123456'
domainSuffix='@DOM.LOCAL'
dc='10.0.0.1'
 
####################################################################################################
 
[ $# -eq 1 ] || {
        echo "Syntax: getUserFromGroup <group>" >&2
        exit 1
}
 
function getLDAPuser() {
        ldap=$(ldapsearch -LLL -x -H ldap://$dc:3268 -D "$ldapUser" -w "$ldapPass" "$@")
        [ $? -eq 0 ] || {
                echo
                echo "Could not retrieve users via LDAP. Please investigate." >&2
                exit 1
        }
 
        ldap=$(echo "$ldap" | grep '^member:' | awk -F ',' '{print $1}' | awk -F '=' '{print $2}')
        for i in $ldap; do
                if [[ "$i" =~ ^RO- ]]; then
                        getLDAPuser "(&(objectClass=group)(name=$i))" member
                else
                        echo "$i$domainSuffix"
                fi
        done
}
 
getLDAPuser "(&(objectClass=group)(name=$1))" member