hi, so this is a working version of the script (tested on my test ipa environment). You save it as executable and run it as: $./script ipausername and you will get the groupnames separated by an empty space a user is member of. modify the obvious bits, like kdc.domain.tld, user and password, and base. You also need the perl-LDAP rpm package. The user that binds to the ldap server needs privileges (do not know exactly which ones, but as a normal user I cannot see the group memberships). I have run it as admin and it works. Probably overkill, if the user you use is member of the role 'user administrators' it should work as well. Not tested. #!/usr/bin/perl use strict; use warnings; use Net::LDAP; # Script requires user UID as the only parameter if ( $ARGV[0] eq '' ) { print "<a href="http://ldap-query.pl">ldap-query.pl</a> requires one argument, user's uid\n"; exit 1; } my $user = $ARGV[0]; # Create communication structure for LDAP connection my $ldap = Net::LDAP->new( 'kdc.domain.tld' ) or die "$@"; # Bind to LDAP with proper user my $msg = $ldap->bind( "uid=admin,cn=users,cn=accounts,dc=domain,dc=tld", password => "pwd", ); # search objects filtering in uid, get memberOf attribute only $msg = $ldap->search( base => "cn=users,cn=accounts,dc=domain,dc=tld", scope => "sub", filter => "(uid=$user)", attr => ['memberOf'], ); # get the group membership of $user and print it in a line for my $entry ( $msg->entries ) { my @memberof = $entry->get_value( 'memberOf') ; # the memberof attr is a full dn but we only want the cn, so we # use the map function to strip everything else @memberof = map { s/^cn=(.*),cn=groups.*/$1/g; $_ } @memberof; # admin users or users with delegated privileges are members of groups # names containing spaces, we skip those. If this is not what you want, # you need to adapt the for loop for ( @memberof ) { next if /(replication |add |host|uniqueid|unlock |manage |trust )/ ; print "$_" . " " ; } print "\n"; } have fun! -- groet, natxo