I try to build a ldap query to MS Active Directory. I found that there is a LDAP_MATCHING_RULE_IN_CHAIN type to do so. Which results in the follow syntax:
(&(sAMAccountName=Benna)(memberof:1.2.840.113556.1.4.1941:=CN=Group1,OU=Root,DC=domain,DC=local))
Problem is:
The query* enumerate online the first nested group.
In my example the Group1 has the follow member groups:
- Domain Administrators
- Domain Members
- Domain Computers
And Benna is in Group Domain Members, but the query dont give me a result*.
When I change the filter to
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Group1,OU=Root,DC=domain,DC=local))
I can see, that the query enumerates only members of the Group "Domain Administrators"*.
So thats the reason that it not matches my query above.
Any reason why this happens?
*Tested with adsiedit.msc
EDIT:
ok - it seams that this is the reason
https://support.microsoft.com/en-us/kb/275523
but is it possible to build a query to the nested group also for the primaryGroupID attribute? Or is there any way to have a single ldap query, where you can use to find if a user is member of a group (which can also have nested groups)?
Thanks, Thomas
ok - it seams, that the limitation is made of the domain forest level lower than 2003.
https://support.microsoft.com/en-us/kb/275523
After change the forest mode to 2003 it should work. I changed, but currently it dont work... will wait some minutes and hope that it is the solution.
It's pretty annoying to do with old commandline tools but the ActiveDirectory Powershell module that you get with the Remore Server Administration Tools has an easy way of returning all nested group members:
Get-ADGroupMember "groupname" -recursive
Here's a kb article that explains the command: https://technet.microsoft.com/de-de/library/ee617193.aspx
This works if your AD is at least on Server 2008 R2.
Determining nested group membership can be tricky with pure LDAP queries. Note that memberOf is a constructed attribute. Further note that primaryGroupID is only that, an ID. While the MMC will show primary groups in the membership tab of an account, the distinguished name of an object is not actually placed in the member attribute of that group.
As noted by megamorf, you need to recursively query group membership information for each group. My company's product, Carbon, is a web-based LDAP management tool that, among other things, can display nested group membership as a graph. Since it's web-based, you can use it from a Linux (or Mac or Windows) box as long as you have a supported browser. Check it out at steelhive.com. There is a free demo you can download. It comes as an OVA / virtual appliance targeting VMware ESXi 5+.