0

I am trying to allow the users from nested groups in Active Directory to login to my spring boot/security based application. I have figured how to provide the search query through spring-security configuration, but I am having trouble with the search query itself.

Here is the search query that is currently working as expected:

(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
  (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))

This is working as expected as user1 belongs to parent_group1 or one of its sub groups. But I have more than one parent_group, with constant prefix. So I am trying to provide wildcard in that query as CN=parent_group*, but its not working.

I have seen a variation here where each parent_group can be added with an OR like this:

(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
   (|(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
     (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group2,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
     (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group3,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)

And this works too. But the problem with this is, every time a new new parent group is added this needs to be updated. I have gone through the link specified in the answer to the above question, but nothing from there works.

Ideally, I was hoping something like this would work (wildcard pattern for parent_group):

(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
  (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))

But its not working. It doesn't return any results. Can someone help me if there is a better way of doing this?

Also, is it possible not to mention the entire hierarchy like this? CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local

I have been researching on this for a couple of days now and gone through most of the articles provided online or on SO, but nothing with the wildcard pattern with the chain command works so far.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
ayip
  • 2,473
  • 1
  • 19
  • 30

1 Answers1

0

It is not possible to do what you describe. You'd be well served by having one parent group which all your "other" parent groups are nested in. Anytime a new parent group is created, you would nest it in your master group so that it's granted access. This is a pretty common model.

Brian Desmond
  • 4,473
  • 1
  • 13
  • 11
  • 1
    thanks for the response. I now have a sub_group added under parent_group1 and a new user added to the sub_group. The above search query still fetches the user added to the sub_group, but since the CN value doesn't contain the parent_group1 in it, the library I am using is not able to properly authorize the user. Any idea how to set the CN value to be `CN=sub_group,CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local` instead of `CN=sub_group,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local`? – ayip Aug 17 '18 at 14:22
  • 1
    Is there anyway to pull all the groups in the hierarchy that a user belongs to? – ayip Aug 17 '18 at 16:40
  • 2
    This will pull all the groups a user is in `(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=CN=User1,CN=Users,DC=Company-Domain,DC=local))`. There's no way to have AD somehow transform the output to match what you want, though. – Brian Desmond Aug 18 '18 at 18:33
  • thanks a lot, I did end up using the above command as I had to extend the functionality of my library to support nested groups anyway. – ayip Aug 21 '18 at 15:48