2

I need information regarding LDAP search filter to extract nested group membership. Basically, my idea is say for instance, a user is belonging to 5 groups [A, B, C, D, E] Can I write a single LDAP search query to get the member groups to which group [A, B, C, D, E] may be a part of? And I can use this logc recursively to retrieve all group information till the complete root of the AD?

And I need this solution to be for generic AD, so I cannot use LDAP_RULE_IN_CHAIN filter which works only for MS AD.

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
puzzled confused
  • 151
  • 2
  • 6
  • 12
  • I can think of very few situation where this wouldn't chain into returning the entire directory. Search user, get group, get all users, get more groups, get more users, get more groups. Eventually hit an admin and get all users. Do you plan to limit this recursion? –  Dec 07 '12 at 07:28
  • Basically, i am not interested in getting users. All i am interested in extracting nested-group information for which a user is part of. So, if user X is part of groups [A, B, C] and group A is part of group D and group D part of E. So, all i m interested is in extracting user-groups [A, B, C, D, E]. – puzzled confused Dec 07 '12 at 10:35
  • Hi, If i plan to limit this recursion i.e. if i now need to limit only certain set of users based on say nested level depth. That is, now i want to extract all user groups for a user up to a specified nested depth say '3' or '4'. Is there a way i can do that using LDAP_RULE_IN_CHAIN? It is currently fetching too many user-groups and affecting box performance – puzzled confused Oct 03 '13 at 14:54

2 Answers2

4

Groups are not something defined in the LDAP standard. As far as LDAP is concerned, group entries are just LDAP entries -- nothing more. The implementation of group support including how data structures like nested and dynamic groups are handled, queried, verified, etc. is totally up to the directory software vendor. For example, IBM's Security Directory Server (SDS) software supports nested and dynamic groups through its own proprietary objectclasses and attributes, which are specially recognized by the software, and traversing (for nested groups) and expansion (for dynamic groups) to verify membership or to obtain group structure are automatically done for the LDAP client. For instance, SDS provides operational attributes like ibm-allgroups and ibm-allmembers to help LDAP clients to pull group and membership information in nested and dynamic groups in single searches. Other directory vendors solve the same problem differently. Therefore, your solution will vary depending on the LDAP software you use. You can design your application to support multiple directory server software, but that depends on how sophisticated you want to get with group support in your application.

Bora
  • 802
  • 10
  • 19
  • unfortunately ldap protocol doesn't get functionality similar to sql join. maybe in far future ldap definition it will be implemented, but I don't belive this time will be shorter than 50 years. – Znik Apr 25 '18 at 13:09
1

All Groups a User is a member of including Nested groups

As an example, to find all the groups that "CN=John Smith,DC=MyDomain,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.

(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))

Where CN=John Smith,DC=MyDomain,DC=NET is the user's FDN and the Extensible Match Rule 1.2.840.113556.1.4.1941.

-jim

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • 2
    Hi Jim, I cannot use this as the filter you mentioned seems to work only for MS AD and not for generic AD servers. My implementation needs to be done for generic LDAP server – puzzled confused Dec 09 '12 at 18:20
  • Yes, it will only work for Microsoft AD servers. This is done from an extensible matching rule that would need to be available on the server. Microsoft has implemented the matching rule. Other LDAP server implementation could do the same. I shows some details on this here. http://ldapwiki.willeke.com/wiki/1.2.840.113556.1.4.1941 – jwilleke Dec 11 '12 at 09:03