Login/Register
Can LDAP_MATCHING_RULE_IN_CHAIN return 'subtree search results' with attributes (specifically "memberOf")?
Asked Answered
active-directoryactivedirectorymembershipactive-directory-group
C

3

5

I have an active directory (AD) test instance with nested groups: Employees (Parent) with two subgroups: Executives and Engineers. 

Tree:
  Employees
  |
  -Executives
  |   |
  |   -Mister Executive
  |
  -Engineers
      |
      -Joe Engineer

I see that the AD-extension LDAP_MATCHING_RULE_IN_CHAIN will search the subtree; I can search for all users who are employees with this query:

query:
( & (objectClass=person)   (memberOf:1.2.840.113556.1.4.1941:=CN=Employees,CN=Users,DC=cloud,DC=com))

The Problem: Recursive Search, but no Recursive Results

However, I cannot find a way to get the "subtree search results", i.e. while the query returns "Mister Executive" as an "Employee", the 'memberOf' attribute only lists "Executives", i.e. the group to which he directly belongs. I've checked all other attributes and don't see any 'employee'

Recap

So for final clarification: does AD allow any way to retrieve "subtree memberOf" results along with "subtree" LDAP_MATCHING_RULE_IN_CHAIN ("memberOf:1.2.840.113556.1.4.1941:=") searches

thanks in advance,

Corbet answered 30/3, 2012 at 15:2 Comment(4)
Is the base of your search the domain root, or at least the OU where the users are located? Is your AD 2003 or 2008? Can you post the whole search block?Tot
Yes the base search should be "users OU". I think it's 2008 (hard to tell), but we support both 2003 and 2008. As for "whole search block"..I'm just testing the query in an LDAP Search tool--simply pasting the above query. Do you want the results?Corbet
If you look here: support.microsoft.com/kb/914828/en-us, you see what you want is possible. If you combine example 1 and 5, you should get what you want, assuming 2003 has the hotfix installed, or you have 2008 AD.Tot
I'm not sure example 5 applies. "memberOf" attribute differs from other attributes in that it is "virtual" or calculated "on the fly". Also, I'm looking to query for multiple members, and "get their nested groups memberships" .Corbet
I
9

I think that you are getting confused between groups and nodes.

The Directory tree

A Directory is tree in which every object is a node. Active-Directory is a bit special because only a few objects like organizationalUnits(OU), Domains or Containers can be nodes containing user objects.

So a directory search consists of:

  1. The node that the search begins from which is identified by a Distinguish Name (DN)
  2. The attibutes you want to be brought back
  3. The depth of the search (base, one-level, subtree)
  4. The filter.

Each object in the directory contains attributes, with a name and a syntax. For some attributes like member, memberOf, manager, managedBy, Microsoft provides a special syntax called uniqueName. This syntax is for a distinguished name, but the directory provides a kind of relational integrity for these attributes. This means that, for example, if you move the object in the directory, the DN inside this attribute will retain its value. If you move a user, the member attribute in groups it belongs to is adjusted automatically.

Now LDAP_MATCHING_RULE_IN_CHAIN.

When a user X is member of group A. The user X DN is in the member attribute of the A group, the A group DN is in the memberOf attribute of the user X. If group A is member of group B, user X belongs to group B but the B group DN is NOT in the memberOf attribute of user X. Here you can use LDAP_MATCHING_RULE_IN_CHAIN to find recursive belonging to groups. This is a special extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

Microsoft example of such a query is one designed to check if a user "user1" is a member of group "group1". You would set the base to the user DN (cn=user1, cn=users, dc=x) and the scope to base, and use the following query.

(memberOf:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x)

Similarly, to find all the groups that "user1" is a member of, set the base to the groups container DN; for example (OU=groupsOU, dc=x) and the scope to subtree, and use the following filter.

(member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)

So LDAP_MATCHING_RULE_IN_CHAIN has nothing to do with the directory tree node.

Intestine answered 31/3, 2012 at 5:19 Comment(2)
He wants all members of the Employees group and all sub groups. His query was fine. He just mixed up person and user (catagory or class).Tot
This was a nice, concise description of what chain the LDAP_MATCHING_RULE_IN_CHAIN is actually checking.Picrate
T
2

I've edited this because the listing was unnecessary...

Change your filter to:

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Employees,CN=Users,DC=cloud,DC=com))
Tot answered 30/3, 2012 at 17:5 Comment(0)
H
1

If the problem you're trying to solve is:

I have a user DN and I want to find all groups to whom he/she belongs

What you want to use is the tokenGroups computed attribute which contains the SID of all the user's computed groups taking inheritance into account. This is what directory service integration tools do for maximum reliability.

(see also tokenGroupsGlobalAndUniversal as per your needs)

○ → ldapsearch -o ldif-wrap=no -LLL -Y GSSAPI -H ldap://ad1.mdmarra.local -b 'CN=Michael Brown,OU=Employees,DC=mdmarra,DC=local' -s base memberOf tokenGroups
dn: CN=Michael Brown,OU=Employees,DC=mdmarra,DC=local
memberOf: CN=Staff,OU=Security Groups,DC=mdmarra,DC=local
memberOf: CN=cloud_users,OU=Security Groups,DC=mdmarra,DC=local
memberOf: CN=TACACS-NOC-Customer,OU=Security Groups,DC=mdmarra,DC=local
memberOf: CN=TACACS-NOC,OU=Security Groups,DC=mdmarra,DC=local
memberOf: CN=PRTG-Admins,CN=Users,DC=mdmarra,DC=local
tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5TsreSgAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5TsrQCgAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5Tsr7xkAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5Tsr+xkAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5TsrAQIAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5TsrcRIAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5Tsr7ScAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5Tsr8BkAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5Tsr8RkAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5Tsr9hkAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5TsrWigAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5TsrWygAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5Tsr7hkAAA==
tokenGroups:: AQUAAAAAAAUVAAAA2TH4QrS3zSIH5Tsr+RkAAA==

○ → ldbsearch -k yes -H ldap://ad1.mdmarra.local -b 'CN=Michael Brown,OU=Employees,DC=mdmarra,DC=local' -s base memberOf tokenGroups
…
memberOf: CN=PRTG-Admins,CN=Users,DC=mdmarra,DC=local
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-21-1123561945-583907252-725345543-10361
tokenGroups: S-1-5-21-1123561945-583907252-725345543-10304
tokenGroups: S-1-5-21-1123561945-583907252-725345543-6639
tokenGroups: S-1-5-21-1123561945-583907252-725345543-6651
tokenGroups: S-1-5-21-1123561945-583907252-725345543-513
tokenGroups: S-1-5-21-1123561945-583907252-725345543-4721
tokenGroups: S-1-5-21-1123561945-583907252-725345543-10221
tokenGroups: S-1-5-21-1123561945-583907252-725345543-6640
tokenGroups: S-1-5-21-1123561945-583907252-725345543-6641
tokenGroups: S-1-5-21-1123561945-583907252-725345543-6646
tokenGroups: S-1-5-21-1123561945-583907252-725345543-10330
tokenGroups: S-1-5-21-1123561945-583907252-725345543-10331
tokenGroups: S-1-5-21-1123561945-583907252-725345543-6638
tokenGroups: S-1-5-21-1123561945-583907252-725345543-6649
Heaviness answered 27/6, 2017 at 16:56 Comment(2)
Hmm... ldp.exe doesnt' work but ldapsearch does. ldp.exe seems to require a query i.e. objectclass=* which throws this off.Pebrook
@Pebrook Works for me in ldp.exe, with the following parameters: BaseDN=<your_user_dn>, Filter=(objectCategory=user) , Scope=Base , Attributes=samAccountName;userPrincipalName;tokenGroupsAccoucheur

© 2022 - 2024 — McMap. All rights reserved.