2

I am using Unboundid LDAP SDK for java to connect to AD & perform operations on AD.

I have nested assignments of group under group.

Like for e.g.:

Group-1 has member Group-2.

Group-2 has member Group-3.

Now it is possible that Group-3 has member Group-1. This will lead to infinite loop due to circular reference.

Also, I have n level of depth in AD for nested members so I am not sure how can I detect circular reference while making a group member of another group.

I did some research on google in order to find solution, and came across this thing:

clientLoop (96) The clientLoop result code indicates that the client has detected some kind of loop while processing results from the server. It usually applies when the client is trying to follow a referral (or a search result reference) and encounters a referral URL that it has already tried to follow.

Loop_DETECT (54) The result code (54) that will be used if the server detects a chaining or alias loop.

Reference: https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/ResultCode.html#LOOP_DETECT

So it means it is possible and there is a way within Unboundid ldap sdk to detect circular references. But I am not able to find an example code or solution to this yet.

How do I detect and prevent circular references in such cases using Unboundid LDAP SDK for java?

Note: This is NOT a duplicate of existing related questions because I seek an answer/solution in context of Unboundid ldap sdk only. Not in some powershell script. Other similar questions has no answer yet related to Unboundid ldap sdk.

jarvo69
  • 7,908
  • 2
  • 18
  • 28
  • How? If I search for `Group 1` and get all its members, I get `Group-2`. And within it i need to find `Group-2` members and I'll get `Group-3`. Now again `Group-3` will have member `Group-1`. Again the cycle continues in between these 3 groups.. Isn't it possible? – jarvo69 Mar 20 '20 at 08:15
  • It doesn't have anything to do with the UnboundID SDK specifically. It is just an algorithm question. – user207421 Mar 20 '20 at 08:55
  • The reference link I gave and as mentioned in my question "Loop_DETECT" thing which is specific to Unboundid sdk. If this enum is provided by Unboundid then there must be some way or some method by which unboundid sdk gets to know about circular reference thing. – jarvo69 Mar 20 '20 at 09:45

1 Answers1

1

You may want to try the (Active Directory specific solution) of using the function LDAP_MATCHING_RULE_IN_CHAIN if that suits your needs which avoids this altogether, see e.g.:

Is it safe to use 1.2.840.113556.1.4.1941 implementation in case of cyclic dependencies?

See for a complete example e.g.:

https://confluence.atlassian.com/crowdkb/active-directory-user-filter-does-not-search-nested-groups-715130424.html

This also avoids making several calls to Active Directory, which might be a performance benefit (also make sure to use cached connections which are not the default for an SSL/TLS connection).

If you also need to take other domains in a forest into account you may want to connect to the Global Catalog (plaintext over port 3268 or SSL/TLS over 3269)

The long magic number is an OIN from Microsoft (part of: https://ldapwiki.com/wiki/1.2.840.113556 ) which is the portable numeric representation of the function name: LDAP_MATCHING_RULE_IN_CHAIN. This function name may not be known to your software, but the OIN is what really is transferred over the wire to LDAP/Active Directory.

JohannesB
  • 2,214
  • 1
  • 11
  • 18
  • thanks for the response. I am trying the answer given in link: https://confluence.atlassian.com/crowdkb/active-directory-user-filter-does-not-search-nested-groups-715130424.html So far this works in AD as a query. But need to see if it works in UnboundID LDAP SDK which is my requirement as I mentioned in question. Hopefully it will work – jarvo69 Mar 25 '20 at 09:06
  • Can you please explain what value is this: `memberOf:1.2.840.113556.1.4.1941:=cn=UserGroup1` I understand the part that starts from CN but I fail to understand what is 1.2.840 ... – jarvo69 Mar 25 '20 at 09:08
  • 1
    see the latest edition to the answer, it is a unique number for the function name: LDAP_MATCHING_RULE_IN_CHAIN – JohannesB Mar 25 '20 at 11:41
  • The second link has been helpful though I need to manually first make a search using the filter given in answer in second link. But thats acceptable as there seems no implicit way provided by Unboundid ldap sdk to detect circular references. – jarvo69 Mar 25 '20 at 12:06