Nested Group LDAP Search Filter

2
votes

I need information regarding LDAP search filter to extract nested group membership. Basically, my idea is say for instance, a user is belonging to 5 groups [A, B, C, D, E] Can I write a single LDAP search query to get the member groups to which group [A, B, C, D, E] may be a part of? And I can use this logc recursively to retrieve all group information till the complete root of the AD?

And I need this solution to be for generic AD, so I cannot use LDAP_RULE_IN_CHAIN filter which works only for MS AD.

2
ldapopenldapldap-querynested-groups
I can think of very few situation where this wouldn't chain into returning the entire directory. Search user, get group, get all users, get more groups, get more users, get more groups. Eventually hit an admin and get all users. Do you plan to limit this recursion?user1877337
Basically, i am not interested in getting users. All i am interested in extracting nested-group information for which a user is part of. So, if user X is part of groups [A, B, C] and group A is part of group D and group D part of E. So, all i m interested is in extracting user-groups [A, B, C, D, E].puzzled confused
Hi, If i plan to limit this recursion i.e. if i now need to limit only certain set of users based on say nested level depth. That is, now i want to extract all user groups for a user up to a specified nested depth say '3' or '4'. Is there a way i can do that using LDAP_RULE_IN_CHAIN? It is currently fetching too many user-groups and affecting box performancepuzzled confused

2 Answers

4
votes

Groups are not something defined in the LDAP standard. As far as LDAP is concerned, group entries are just LDAP entries -- nothing more. The implementation of group support including how data structures like nested and dynamic groups are handled, queried, verified, etc. is totally up to the directory software vendor. For example, IBM's Security Directory Server (SDS) software supports nested and dynamic groups through its own proprietary objectclasses and attributes, which are specially recognized by the software, and traversing (for nested groups) and expansion (for dynamic groups) to verify membership or to obtain group structure are automatically done for the LDAP client. For instance, SDS provides operational attributes like ibm-allgroups and ibm-allmembers to help LDAP clients to pull group and membership information in nested and dynamic groups in single searches. Other directory vendors solve the same problem differently. Therefore, your solution will vary depending on the LDAP software you use. You can design your application to support multiple directory server software, but that depends on how sophisticated you want to get with group support in your application.

1
votes

All Groups a User is a member of including Nested groups

As an example, to find all the groups that "CN=John Smith,DC=MyDomain,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.

(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))

Where CN=John Smith,DC=MyDomain,DC=NET is the user's FDN and the Extensible Match Rule 1.2.840.113556.1.4.1941.

-jim