LDAP query memberOf group with users from root domain

0
votes

So I have a:

  • (root) domain lab.local with a user [email protected].
  • Subdomain inner.lab.local with a group testers (CN=testers,OU=Groups,OU=Domain Resources,DC=inner,DC=lab,DC=local).
  • In that subdomain I've created a user [email protected].
  • I've added both [email protected] and [email protected] to testers group
  • In the subdomain, I've created a query (&(objectCategory=user)(memberOf=CN=testers,OU=Groups,OU=Domain Resources,DC=inner,DC=lab,DC=local))

Above query returns only [email protected] (doesn't take a member from root domain: [email protected]).

I know the reason is that it's not a global catalog (it's marked as universal) thus (...) membership in groups from other domains will not be listed (...)

Is there any solutions for that? Is there anything I can do to get them both?

EDITED (to be more specific):

Here in root domain mylab.local (192.168.1.168) we can see a user John with userPrincipalname set to [email protected]:

screenshot_of_root_domain

Here we can see a subdomain inner.mylab.local(192.168.1.169). In here we have a group testers in OU called Groups. As you can see, in that domain we have a user mike defined. Both users mike (from inner.mylab.local) and john (from mylab.local) are members of the group testers:

enter image description here

My goal is to get both users based on group name. Thanks to Mr. Marcin answer, I know that I have to Query the global catalog in the child domain. But, when connected to subdomain on port 3268:

screenshot_of_connection_properties_to_subdomain

and queried users, I got only the one from subdomain:

query_users_based_on_memberOf_attribute

When I get the whole group, like this:

query_group

I can see both. But I need each user userPrincipalName attribute. So even If I do the second query to get info about each user from different domain, I am not able to get info about user:

screenshot_query_user_based_on_dn

So what I am doing wrong, that can't get user john (from different domain) when queried global catalog in child domain?

EDITED: I am using java and LdapTemplate.

1
active-directoryldapldap-query
Two things: 1. Are you sure your 4th screenshot actually queried the global catalog? That should have worked.Gabriel Luci
2. You are always better off reading the member attribute of the group rather than trying to query memberOf of users. If you tell us which programming language you're doing this in, we can help better.Gabriel Luci
"Are you sure your 4th screenshot actually queried the global catalog?" third screenshot. I am connecting to the server (via LDAPAdmin) on port 3268, so it should be GC, am I right ? (or no, maybe I am wrong, that's why I am here :))user3529850
I saw that, but I'm wondering if it actually did use the GC port for that query. It should work.Gabriel Luci
"2. You are always better off reading the member attribute". Yes I did change that, but I had trouble with getting account name from SID. That's my seconds question you answered just a moment ago. I take a bow, thanks.user3529850

1 Answers

-2
votes

I dont understand your problem but if you install JXplorer of help enough to see the structure and find out if there is something out of place.