0

I need to implement nested group membership for generic AD services. Previously, i was using a specific search-filter ("member:1.2.840.113556.1.4.1941:=") through which using a single search request, i was able to get hold of all group membership through which that user was part of. However, it looks like that search-filter seems to work only for MS AD servers and not for generic AD servers.

So, is anybody aware of any specific search filter which we can send in a search request (applicable to All AD servers), through which i can derive nested group membership via a single search query.

Thanks in advance for your help on this.

puzzled confused
  • 151
  • 2
  • 6
  • 12

1 Answers1

0

"member:1.2.840.113556.1.4.1941" is LDAP_MATCHING_RULE_IN_CHAIN and might very well not be implemented by other LDAP vendors. LDAP Wiki

Edit:

You could do something like this if you want to reurse the groups:

Use the filter:

    (&(objectCategory=organizationalPerson)(objectClass=User)(sAMAccountName=YOURUSER)

    get "distinguishedName"  (this is the user's distinguishedName)
    get "memberOf"  (this is a collection of distinguishedNames of the groups the user is a member of (minus the primary group in MS Active Directory, which should be "Domain Users"))



    Foreach memberOf in the collection: (This is the first level, so there is no need to check if he is there, because he is.)

    (&(objectCategory=group)(distinguishedName=THISMEMBEROF))

    get "member" (this is a collection of distinguishedNames of group members)



    Foreach memberOf in the collection: 

    This is the second level (the groups within the groups), so first check if the users distinguishedName is present.
    (&(objectCategory=group)(distinguishedName=THISMEMBEROF))

    get "member" (this is a collection of distinguishedNames of group members)

Foreach memberOf in the collection: 

This is the third level (the groups within the groups), so first check if the users distinguishedName is present.
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))

get "member" (this is a collection of distinguishedNames of group members)



etc.
Daro
  • 1,990
  • 2
  • 16
  • 22
  • Thanks Daro, So any ideas on what could be the generic way of doing this? That is, do i keep recusrsively looking for memberOf attribute to return NULL and keep extracting group information one-by-one. Any inputs on what search filter can i user? – puzzled confused Dec 06 '12 at 08:38
  • What is your goal? Does it have to be an LDAP query, or are you only intersted in group memberships, and if so, which scope (universal, global, domain local, local, cross domain)? – Daro Dec 06 '12 at 12:15
  • My goal is to get user nested-group membership upto specified levels [(say 5 nested level), scope = subtree, base-dn ], using LDAP. – puzzled confused Dec 09 '12 at 16:56
  • I edited my answer with a possible solution based on your goal. – Daro Dec 11 '12 at 08:01
  • Thanks Daro for the answer. One small doubt, why do i have to check whether user distinguished name is present from second level onwards? – puzzled confused Dec 12 '12 at 09:14
  • Thanks Daro, Is there a way i can include in one single LDAP query to retrieve entries matching the memberOf for group A, B, C rather than sending three separate LDAP query to match for each groups memberOf attribute – puzzled confused Dec 12 '12 at 10:39
  • Only the first DN is of the user. The rest are of the group members (users, groups, computers, contacts, etc.). That's why you need to check if the users DN is in there, and your next query uses "objectCategory=group" as a filter. - I don't believe it is possible to do nested LDAP quries, but you could check with your LDAP vendor. If you have a MS DC somewhere, query it for LDAP_MATCHING_RULE_IN_CHAIN. – Daro Dec 12 '12 at 11:23