3

We have an LDAP login problem of a specific user and I'm suspecting that this is due to cyclic groups assignment in LDAP, i.e. the user is assigned to groups A,B,C,D. Group A contains sub-groups E,F,G and group E contains group A again.

If I query for the user I can see that he has been assigned with 50+ groups and each group may contain more groups and each of those may contain more....

My question is if there's a query I can run to get the nested groups inside those main groups all the way down instead of going each group and do it manually?

The server is AD

enter image description here

Joly
  • 3,218
  • 14
  • 44
  • 70
  • I have just started using LDAP and Active Directory - here is a post that I think might help. [link](http://forum.springsource.org/showthread.php?114909-Find-all-sub-groups-of-all-depths-of-a-given-group-in-LDAP-using-LdapTemplate) – AxGryndr Aug 31 '12 at 19:25
  • Thanks. For some reason the expression doesn't compile: (&(objectClass=group)(member:1.2.840.113556.1.4. 19 41:={0})) If I replace {0} with the user's distinguishedName I am getting missing colon.... – Joly Aug 31 '12 at 19:38
  • 1
    Looking at the Microsoft MSDN page has this tid bit. Similarly, to find all the groups that "user1" is a member of, set the base to the groups container DN; for example (OU=groupsOU, dc=x) and the scope to subtree, and use the following filter. (member:1.2.840.113556.1.4.1941:=(cn=user1,cn=users,DC=x)). I don't know if this would show that the user is part of group A twice because of a nesting issue. – AxGryndr Aug 31 '12 at 19:47
  • I am actually using Apache Directory Studio to query AD... – Joly Aug 31 '12 at 19:51

1 Answers1

4

To find all the groups that "user1" is a member of (adaptation of this answer see AD search filter):

  • Set the base to the groups container DN; for example root DN (dc=dom,dc=fr)
  • Set the scope to subtree
  • Use the following filter : (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)

Example with LDIFDE.EXE (native command line AD search on windows) :

ldifde -f t.txt -d "DC=dom,DC=fr" -r "(member:1.2.840.113556.1.4.1941:=CN=jblanc,OU=MonOu,DC=dom,DC=fr)"

Remark : as far as I remember there is a small syntax difference with in brackets user DN name. '1.2.840.113556.1.4.1941' is not working in W2K3 SP1, it begins to work with SP2. I presume it's the same with W2K3 R2. I test here with W2K8R2.

With Apache Directory Studio : Apache LDAP recursive query in AD

Result :

Apache LDAP recursive query result in AD

Community
  • 1
  • 1
JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • Thanks. If I set the base search to: DC=comp1,DC=ad,DC=comp,DC=com And the search filter to:member:1.2.840.113556.1.4.1941:=CN=lastName, firstName,OU=Users,OU=SUN,OU=rEU,OU=Client,DC=comp1,DC=ad,DC=comp,DC=com) then I get no results. I selected subtree and I know this user has groups assigned. Any idea...? – Joly Sep 03 '12 at 10:39
  • have you really got a coma between lastName and firstName ? If so, just try `...CN=lastName\\, firstName,OU=Users...` – JPBlanc Sep 03 '12 at 19:10
  • Changed to \\, but still not getting results unfortunately :( Anything else I might be doing wrong....? – Joly Sep 04 '12 at 08:44
  • Can you give your full filter ? and the exact DN of your user. – JPBlanc Sep 04 '12 at 12:31
  • Uploaded an image, see above. For data protection I have renamed the organisation name with ab and ab1 and the person's name with firstName lastName – Joly Sep 04 '12 at 16:14
  • Strange now I am getting results back but only 14 where this user has 50+ groups not including the nested ones. – Joly Sep 04 '12 at 16:22
  • What kind of groups (security, distribution) from which domain? – JPBlanc Sep 04 '12 at 17:11
  • All groups are from the same domain: DC=ab1,DC=ad,DC=ab,DC=com. The groups seems to be security groups (Mix of Global security groups, Domain local security groups and Universal security groups) – Joly Sep 04 '12 at 21:20