single line LDAP query that enumerates users from a group within a supergroup

20
votes

I have a scheme that looks like this:

  1. Users exist like UserA, UserB, UserC.
  2. Groups exist like OverGroup, SubGroup.
  3. OverGroup automatically adds new users like UserA, UserB, etc. to its membership.
  4. SubGroup I created myself. I have set OverGroup to be a member of SubGroup.

I want to be able to one-line query SubGroup and retrieve not OverGroup, i.e.:

Values:  
CN=OverGroup,OU=Groups,DC=example,DC=com

but the full enumeration of the actual Users (User A, B, C) within OverGroup, i.e.:

Values:  
CN=UserA,OU=OtherOU,DC=example,DC=com
CN=UserB,OU=OtherOU,DC=example,DC=com
CN=UserC,OU=OtherOU,DC=example,DC=com

Is there a one-liner LDAP filter that could retrieve this? (It will be put into the ExternalAuth configuration 'ldap' section in a Request Tracker instance. Pretty sure I can only do this with one query the ExternalAuth module can understand.)

Everything I try does not work, and from my reading, it does not seem possible to enumerate a list of users within a group that is a member of another group with any one-line query. Thoughts?

2
active-directoryldap

2 Answers

29
votes

Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. The capability is described here.

Here is an example of how to retrieve all users in a group, including nested groups:

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))

where {0} is the DN of the parent group.

7
votes
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=MPV_BedPlacement,OU=Security Groups,OU=Groups,OU=CCHCS,DC=CCHCS,DC=LDAP))

You have to add the full DN for the group and no curly braces.