LDAP Active Directory group search on base not drilling down to include multiple OUs

0
votes

I am trying to retrieve all the AD groups for the authenticating user in my Java app, where the groups come from two different organizational units. So far I can only retrieve one set of groups, or the other, using Spring Security and setting the search base either of:

OU=RoleGroups,OU=UEU,OU=rEU,DC=ah1,DC=ad,DC=megacorp,DC=com

or

OU=RoleGroups,OU=MOR,OU=rEU,DC=ah1,DC=ad,DC=megacorp,DC=com

These only return a result when I use them with the simple search filter:

(member=CN=Adam,OU=Users,DC=ah1,DC=ad,DC=megacorp,DC=com)

Spring Security with the spring-security-ldap library only allows me to make one query otherwise I will have to start overriding the 3rd party library classes to make my second call.

I've just been trying to work out if I can apply anything from these 2 SO questions:

LDAP root query syntax to search more than one specific OU

Spring LDAP authentication with multiple user OU and multiple access CNs

but a solution still eludes me. As far as I can tell by changing everything to do groups instead of users, I should be doing the following:

Use port 3268 instead of 389

Use search base DC=ah1,DC=ad,DC=megacorp,DC=com

Use search filter (&(objectCategory=RoleGroup)(objectclass=group)(member={0}))

and this should run my query as a 'global catalog search'. I can't get this to work - no results returned - with any variation of my search base from null to zero-length string to the above, and varying my search filter hopefully intelligently.

There is also an AD global catalog search technique using some sort of number reference to a userAccountControl etc but it's far from clear with doing a deep dive into Microsoft AD whether there's a similar "groupControl" attribute.

I see an Org Unit called RoleGroups and this is Active Directory, but I don't know if I should be referring to it in my search filter as above like this:

&(objectClass=group)(member={0}))

or

&(objectCategory=RoleGroup)(objectclass=group)(member={0}))

where I have objectClass, objectclass, objectCategory or objectcategory and nothing but trial and error to guide me - and so far, it is all error.

The complete lack of returned groups when I try to search from the DC=megacorp,DC=com search base using a simple filter gives me a suspicion that I may have configured something wrong. But what that is I don't know. I have set the available Spring config properties such as searchSubtree=true, and derefLink=true

2
javaspring-securityldapspring-ldap
What context within Microsoft Active Directory are your users located? I am not clear if you are looking members which are members of one group or ??jwilleke

2 Answers

1
votes

The member attribute has a DN syntax, so it expects the whole user's DN and not just the CN to match a member in a group.

0
votes

I decided to dig deeper into the issue using the Microsoft AD Client tool dsquery.

Initially I had a problem with brackets in the distinguished name, e.g.:

$ dsquery user -samid craxyz01
"CN=Bloggs\, Joe (SUPERHERO AGSC),OU=Users,OU=Client,DC=ah1,DC=ad,DC=megacorp,DC=com"

To get dsquery to respond, I had to escape the brackets:

$ dsquery * "DC=ah1,DC=ad,DC=megacorp,DC=com" -filter "(&(objectClass=group)(member=CN=Bloggs\, Joe \28SUPERHERO AGSC\29,OU=Users,OU=Client,DC=ah1,DC=ad,DC=megacorp,DC=com))"

This query drills down through all org units below DC=ah1,DC=ad,DC=megacorp,DC=com, so it picks up all groups, whether in OU=UEU or OU=MOR.

So now in my Java app with

group search base=DC=ah1,DC=ad,DC=megacorp,DC=com

and group search filter=(&(objectClass=group)(member={0}))

it's pretty obvious that Spring is doing something wrong, maybe not escaping the slash /, but it's hard to tell because of the reflection it does. It does call LdapEncoder.filterEncode() which looks like it should work.

Thanks to https://superuser.com/questions/1107493/dsquery-parameters

I'll post a new question directly about spring-security and make sure it pings back the link.