ldap nested group membership

Active DirectoryLdapNested

Active Directory Problem Overview

Is it possible to create an LDAP query which will return (or check for) users in a nested group? e.g. UserA is a member of GroupA, and GroupA is a member of GroupB. I want a query on GroupB to return that UserA is a member. LDAP only. The server is Active Directory.

Active Directory Solutions

Solution 1 - Active Directory

Yes, using the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941). For example:

(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=x)

see http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

Solution 2 - Active Directory

You must use the full distinguished name of your group when using memberOf:1.2.840.113556.1.4.1941:= in my case CN=MyGroup,OU=User,OU=Groups,OU=Security,DC=domain,DC=com was the whole distinguished name

(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=User,OU=Groups,OU=Security,DC=domain,DC=com))

you can get the distinguished name of you group by running the following code and putting in this filter (&(objectClass=group)(name=MyGroup))

Imports System.DirectoryServices

Module Module1

Sub Main()
    Dim run As Boolean = True
    Dim Filter As String
    While run
        Console.WriteLine("Enter Filter:")
        Filter = Console.ReadLine()
        If Filter = "exit" Then
            run = False
        Else
            checkFilter(Filter)
        End If
    End While
End Sub

Function checkFilter(Filter As String) As Boolean
    Dim search As New DirectorySearcher("LDAP://dc=Domain,dc=com")
    Try
        search.Filter = Filter
        search.PropertiesToLoad.Add("name")
        search.PropertiesToLoad.Add("distinguishedName")
        search.SearchScope = SearchScope.Subtree
        Dim results As SearchResultCollection = search.FindAll()
        If results Is Nothing Then
            Console.WriteLine("Nothing")
            Return False
        Else
            If results.Count() = 0 Then
                Console.WriteLine("non found")
            End If
            Dim result As SearchResult
            For Each result In results
                Console.WriteLine(result.Properties("name")(0).ToString())
                Console.WriteLine(result.Properties("distinguishedName")(0).ToString())
                'For Each prop In result.Properties("members")
                '    Console.WriteLine(prop.ToString())
                'Next
            Next
            Console.WriteLine(String.Format("{0} Users Found", results.Count()))
        End If
    Catch ex As Exception
        Console.WriteLine(ex.Message)
    End Try
    Return True
End Function

End Module

Solution 3 - Active Directory

Per your question, the query should be

(&(memberOf:1.2.840.113556.1.4.1941:={0})(objectCategory=person)(objectClass=user)(sAMAccountName={1}))

{0} is the nested group, it should be a Distinguished name

{1} is the user sAMAccountName you want (you could use any other user property than sAMAccountName within (sAMAccountName={1}))

Then you will get the user detail for response if the user is the member of nested group

Categories
Recommended Active Directory Solutions
Recommended Ldap Solutions
Recommended Nested Solutions

Previous Solution:

Thread safe logging class implementation

C#MultithreadingLoggingThread Safety

Next Solution:

Empty class object in Python

PythonOopEmpty Class

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionaskvictorView Question on Stackoverflow
Solution 1 - Active DirectoryAndrew StrongView Answer on Stackoverflow
Solution 2 - Active DirectoryMothwareView Answer on Stackoverflow
Solution 3 - Active DirectoryJohn_JView Answer on Stackoverflow