LDAP nested group filter for microsoft AD

2
votes

I would like to write a search filter which would help me retrieve all groups which a user is part of.

For instance: Say I am retrieving entries for user A (which is part of group A). And group A may be part of group B and group D which in turn may be part of group E.

Now, my search filter should return me MemberOf attribute as all possible groups which user A is part of (in this specific case it is Group A, B, D, E).

Any pointers on how the search filter can look like?

3
active-directory
I'm not sure I fully understand the question. If you read out the memberOf property of the DirectoryEntry (the user in this case), it should list out the DNs of all groups that member is a member of regardless of where in the directory structure the group is located.Sinaesthetic
Hi Sinaesthetic, Currently we use only top level filter for doing LDAP search. For instance say i want to extract memberOf for User A. And say userA is memberOf Group A and Group B. Then as part of top level search filter, i can only extract information of about Group A and Group B. But, what if Group A and Group B are in turn part of Group D, so automatically UserA becomes part of group D . And i will miss out on this information.puzzled confused

3 Answers

3
votes

This should do what you are asking about. It will return the FDN of each group the user is a memberOf, however, this queries the group, not the user.

As an example, to find all the groups that "CN=John Smith,DC=MyDomain,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.

(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))

-jim

1
votes

There is an attribute called tokenGroups in user object. It's a constructed attributes calculated by Active Directory on the runtime. It includes all the groups the user object belong to.

Make sure your domain has a Global Catalog and make sure the account that you are using Pre-Windows 2000 Compatible Access group. Then, make sure tokenGroups is specified as one of the returned property. Do a base scope search on the user object.

1
votes

You can use adfind.exe (joeware) to sort out this issue and to utilize standard ldap filters that are described here. For example:

http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Group nesting is specified to be like this:

(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)

and if you use adfind, then it would look like this:

adfind -f "(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)" samaccountname -list

If you want to have output other than samaccountname, for example displayname, or mail attribute, just add to the list. Also if you want to search multiple users, then you might want to have inputfile containing all users and some script to extract each lines to adfind for example.