Group membership LDAP query with Sub Domains

3
votes

I have a domain structure similar to this:

DC=us,DC=earth,DC=com
DC=uk,DC=earth,DC=com
DC=au,DC=earth,DC=com

Each domain has a users OU and a groups OU.

Each domain has users (us,uk,au) 01 to 10 i.e. us01, us02,...., uk01, uk02,.... ,au01, au02..

There is a group:

cn=group1,ou=groups,DC=uk,DC=earth,DC=com

us01,uk01 and au01 are members of 

cn=group1,ou=groups,DC=uk,DC=earth,DC=com.

I am trying to run an LDAP query to return all members of 

cn=group1,ou=groups,DC=uk,DC=earth,DC=com

I believed a base DN of "DC=earth,DC=com" with a filter of 

memberof=cn=group1,ou=groups,DC=uk,DC=earth,DC=com"

with a SUBTREE level scope should work however it isn't.

What am I doing wrong? Is it possible?

I am using JXplorer to test.

Furthermore I can only query/return objects contained in the local domain i.e. if I use earth.com as the BASE DN I can only "see" objects in the earth domain returned. It doesn't seem to be able to transverse the subdomains. Is this normal?

I also can't view objects in sibling domains i.e. I can't see uk users when using the au domain as the BASE DN. I believe this to be correct as the BASE DN needs to have the AD objects in its SUBTREE to be able to "see" them. Is this correct?

3
ldapldap-query
Sorry tried to format correctly. Obviously failed.user1032037
can you provide your search string?Tim A
Is this what you're after? Base DN: (DC=earth,DC=com) Filter: (memberOf=cn=group1,ou=groups,DC=uk,DC=earth,DC=com)user1032037
You need to put some empty lines between your paragraphs and between regular text and indented text ....marc_s

3 Answers

2
votes

it looks like you're including the attribute you are wanting to return in your filter. Try just using cn=group1,ou=groups,DC=uk,DC=earth,DC=com as your base, with a scope of BASE, and a filter of (*objectclass=*) (this will get you directly to the group you're trying to query). Then from the entry that is returned by the search, get the attribute that contains the list of members.

As far as what sub-domains you are able to traverse, that could depend on ACLs (Access Control Lists) applied to the tree, or it could just be weirdness in Jxplorer. IMO, Jxplorer is junk.

And yes, you will only ever be able to see entries below what you define as the BASE DN, regardless of what tool you are using.

2
votes

As you are within separate domains, you will need to be able to chase referrals. I am not aware of the capabilities of Jxplorer and if can auto-chase referrals or not.

And as Tim A said you will need to be sure you have proper rights to access all context you are trying to reach. -jim

0
votes

It may be too late, but I am trying to solve the same problem. I am trying to get all the users of a group but it returns nothing because all the users of this group are under a sub domain. Microsoft support says that "it is not possible". They recommend to perform search for each sub domain. The link is below;

https://social.technet.microsoft.com/Forums/windowsserver/en-US/45008d6c-59e0-49a3-87a6-894dd5d6d5b6/ldap-query-not-returning-subdomains?forum=winserverDS

I also found that, if there is a proper Global Catalog server running on the network, it is possible to get results from all the sub domains with one query. Using the port 3268 instead of 389 for LDAP connection makes it possible to query Global Catalog with all sub domain tree.