There may be many answers. One possible answer is to build the base DN using the principal and query the directory server using the base scope, the filter '(&)' and request the isMemberOf attribute. For example, on my test system using the modern ldapsearch command line tool and the user.0 :
ldapsearch --hostname localhost --port 1389 \ --bindDN 'cn=directory manager' --baseDn \ 'uid=user.0,ou=people,dc=example,dc=com' \ --searchScope base '(&)' isMemberOf Password for user 'cn=directory manager': dn: uid=user.0,ou=people,dc=example,dc=com isMemberOf: cn=shadow entries,ou=groups,dc=example,dc=com isMemberOf: cn=persons,ou=groups,dc=example,dc=com
This method requires knowledge of namingContext , in this case dc=example,dc=com and where users are in the tree. Another, similar method, when the user's location is unknown, will be the first search of the user, and then use the distinguished name from the search results to perform the above query. If namingContext not known, it may be possible to detect namingContext from the root DSE. To restore namingContext from the root DSE, see.
There are several widely used directory servers that incorrectly support the LDAP standard and will reject the '(&)' filter, if your directory server is one of them, just replace the presence filter '(objectClass=*)' . There are many LDK SDKs for Java, I prefer one of the UnboundID .