0

H everyone,

I am having a problem with getting all the users that are inside of one group. I have the group name, and my task is to get list of all users. I do not have enabled memberOf property in OpenLDAP server. So far I was able to get the group using:

 "(&(objectClass=groupOfNames)(cn=" + groupName + "))";

When I got this, I used the attribute member of found group e.g "cn=ldapuser1,ou=Users,dc=example,dc=com"

Then having this I did another query to get all users with given name (in the example above the name would be ldapuser1). I user this query:

"(&(objectClass=inetOrgPerson)(|" + builder + "))"; // it can contain several names

Problem is that if my main group contain another group... my second query would not work.

So what works for now is: (but is not that straightforward and easy) getting users of one single group (2 calls to the server are required - first to get group, and then based on member attribute I do second query that asks for specific users)

What does not work is e.g if one single group contain one user and one group that e.g. contains 2 users, in the final result with my current solution I got only one user. What I want is to have three users as a result in this example.

I have already working Active Directory user search and it is so simple - I use just memberOf with "1.2.840.113556.1.4.1941" filter for nested groups and their users. Why it can not be this simple with OpenLDAP?

So my final question is what is the best approach to implement this, how to build this kind of query ?

I would really like some advice from you guys,

any help would be appreciated!

many thanks,

cheers

paweluz
  • 53
  • 6

1 Answers1

1

Why it can not be this simple with OpenLDAP?

"1.2.840.113556.1.4.1941" (aka LDAP_MATCHING_RULE_IN_CHAIN) is an Extensible Match operator that walks the chain of ancestry in objects all the way to the root until it finds a match and is, as far as I know, only available with Microsoft Active Directory.

You could, of course, write code to evaluate each memberOf value returned to determine if it is a group and then transverse through each group.

A friend of mine once said "Complexity can neither be created or destroyed, but only moved around". Nested groups is one of those type of complexity issues. Do it on Client or server but it is still complex and resource intensive.

Nested groups is a compounding problem and even with Microsoft Active Directory using "1.2.840.113556.1.4.1941" will fail on large nests of groups and/or large numbers of members. I recommend Nested Groups be avoided.

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • thank you for your answer. This is what I was afraid of. I kind of figure out it may be a complex issue, especially when number of groups is very large, and nesting is done very deep. This is why I I thought that maybe OpenLDAP has some build in functionality that I was not aware of, to avoid what you wrote: "write code to evaluate each memberOf value returned to determine if it is a group and then transverse through each group." – paweluz Jul 18 '20 at 17:02
  • But if the goal would be just to take users from first nested group and do not check further nesting... I still would have to write my own mechanism to: - take single group and check their member - take each member once as user and once as group - one must not be null - if is not null and contain attribute member it means it is a group and I have to take manually members from it, do searching for users and that would be all. I could teoretyczny use recursion for that maybe, but still would have to think about it very much. There is no way I can do it differently, right ? – paweluz Jul 18 '20 at 17:06
  • This is not an answer to the problem. In OpenLDAP there's `dnSubtreeMatch` and `dnSuperiorMatch`. – Jorge Fuentes González Nov 22 '22 at 19:17