Nested Group LDAP Search Filter

ldap openldap ldap-query nested-groups
14,229

Solution 1

All Groups a User is a member of including Nested groups

As an example, to find all the groups that "CN=John Smith,DC=MyDomain,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.

(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))

Where CN=John Smith,DC=MyDomain,DC=NET is the user's FDN and the Extensible Match Rule 1.2.840.113556.1.4.1941.

-jim

Solution 2

Groups are not something defined in the LDAP standard. As far as LDAP is concerned, group entries are just LDAP entries -- nothing more. The implementation of group support including how data structures like nested and dynamic groups are handled, queried, verified, etc. is totally up to the directory software vendor. For example, IBM's Security Directory Server (SDS) software supports nested and dynamic groups through its own proprietary objectclasses and attributes, which are specially recognized by the software, and traversing (for nested groups) and expansion (for dynamic groups) to verify membership or to obtain group structure are automatically done for the LDAP client. For instance, SDS provides operational attributes like ibm-allgroups and ibm-allmembers to help LDAP clients to pull group and membership information in nested and dynamic groups in single searches. Other directory vendors solve the same problem differently. Therefore, your solution will vary depending on the LDAP software you use. You can design your application to support multiple directory server software, but that depends on how sophisticated you want to get with group support in your application.

Share:
14,229
puzzled confused
Author by

puzzled confused

Updated on September 20, 2022

Comments

  • puzzled confused
    puzzled confused over 1 year

    I need information regarding LDAP search filter to extract nested group membership. Basically, my idea is say for instance, a user is belonging to 5 groups [A, B, C, D, E] Can I write a single LDAP search query to get the member groups to which group [A, B, C, D, E] may be a part of? And I can use this logc recursively to retrieve all group information till the complete root of the AD?

    And I need this solution to be for generic AD, so I cannot use LDAP_RULE_IN_CHAIN filter which works only for MS AD.

  • puzzled confused
    puzzled confused over 11 years
    Hi Jim, I cannot use this as the filter you mentioned seems to work only for MS AD and not for generic AD servers. My implementation needs to be done for generic LDAP server
  • jwilleke
    jwilleke over 11 years
    Yes, it will only work for Microsoft AD servers. This is done from an extensible matching rule that would need to be available on the server. Microsoft has implemented the matching rule. Other LDAP server implementation could do the same. I shows some details on this here. ldapwiki.willeke.com/wiki/1.2.840.113556.1.4.1941
  • Znik
    Znik about 6 years
    unfortunately ldap protocol doesn't get functionality similar to sql join. maybe in far future ldap definition it will be implemented, but I don't belive this time will be shorter than 50 years.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAPSEARCH into table format
ldap query: ldapsearch for uniqueMember
Retrieve all users and their roles from LDAP using Java
What are the other alternative to test a LDAP connection on linux machine
inetOrgPerson with member or memberOf?
ldapsearch Size limit exceeded with paging and certificate
How can i format an LDAP Filter that includes special characters? ('Classic' ASP)
How to add rights to an user with olcAccess, in an OpenLDAP 2.4
LDAP exclude sub OU from search
LDAP Syntax/Semantics: Filter vs. Base DN?