LDAP query get all groups (nested) of a group

java active-directory ldap active-directory-group

12,372

Solution 1

Important for Active Directory to have memberOf:1.2.840.113556.1.4.1941 if you want to find nested groups (do not replace this magic numeric string).

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=Test group,CN=Users,DC=domain,DC=net))

Solution 2

You can try to do next

Attribute memberOf = srLdapUser.getAttributes().get("memberOf");
if (memberOf != null) {
  for (int i = 0; i < memberOf.size(); i++) {
      Attributes atts = ctx.getAttributes(memberOf.get(i).toString(), new String[] { "CN" });
      Attribute att = atts.get("CN");
      groups.add((att.get().toString())); 
  }
  System.out.println(groups.toString());`

12,372

Author by

Trick

There a feeling I get, when I look to the west.

Updated on July 25, 2022

Comments

Trick almost 2 years

I want to list all groups in a Active Directory, including nested.

With this I get the top level groups:

try {
    Hashtable<String,String> props = new Hashtable<String,String>();
    props.put(Context.SECURITY_AUTHENTICATION, "simple");
    props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    props.put(Context.PROVIDER_URL, "ldap://adserver");
    props.put(Context.SECURITY_PRINCIPAL, "user@domain");
    props.put(Context.SECURITY_CREDENTIALS, "password");

    DirContext ctx = new InitialDirContext(props);

    SearchControls cons = new SearchControls();
    cons.setReturningAttributes(new String[] {"cn"});
    cons.setSearchScope(SearchControls.ONELEVEL_SCOPE);

    NamingEnumeration<SearchResult> answer = ctx.search("cn=users,dc=domain,dc=com", "(objectcategory=group)", cons);
    System.out.println("AD GROUPS:");
    while(answer.hasMore()) {
        SearchResult result = (SearchResult) answer.next();
        Attributes atts = result.getAttributes();
        Attribute att = atts.get("cn");
        String groupName = (String)att.get();

        //how to search for groups nested in this group
    }
} catch (NamingException e) {
    e.printStackTrace();
}

How can I fetch nested groups? I googled a little and found this two ways:

NamingEnumeration<SearchResult> nested = ctx.search("cn=users,dc=domain,dc=com", "(&(objectClass=group)(objectCategory=group)(memberOf:1.2.840.113556.1.4.194:=cn="+groupName+"))", controls);

and

NamingEnumeration<SearchResult> nested = ctx.search("cn=users,dc=domain,dc=com", "(&(objectClass=group)(objectCategory=group)(memberOf=CN="+groupName+"))", controls);

But this is not returning the nested groups. What am I doing wrong?

user207421 over 10 years

What about the nested groups?
A N over 3 years

What is the magic string? Will it always work irrespective of past or future AD versions?
A N over 3 years

What is the magic string? Will it always work irrespective of past or future AD versions?
Michael Schmidt over 3 years

You know, it's Microsoft. It's always unpredictable in the future. Till now it works. According to social.technet.microsoft.com/wiki/contents/articles/… " It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above)."