Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can LDAP_MATCHING_RULE_IN_CHAIN return 'subtree search results' with attributes (specifically "memberOf")?

I have an active directory (AD) test instance with nested groups: Employees (Parent) with two subgroups: Executives and Engineers.

Tree:
  Employees
  |
  -Executives
  |   |
  |   -Mister Executive
  |
  -Engineers
      |
      -Joe Engineer

I see that the AD-extension LDAP_MATCHING_RULE_IN_CHAIN will search the subtree; I can search for all users who are employees with this query:

query:
( & (objectClass=person)   (memberOf:1.2.840.113556.1.4.1941:=CN=Employees,CN=Users,DC=cloud,DC=com))

The Problem: Recursive Search, but no Recursive Results

However, I cannot find a way to get the "subtree search results", i.e. while the query returns "Mister Executive" as an "Employee", the 'memberOf' attribute only lists "Executives", i.e. the group to which he directly belongs. I've checked all other attributes and don't see any 'employee'

Recap

So for final clarification: does AD allow any way to retrieve "subtree memberOf" results along with "subtree" LDAP_MATCHING_RULE_IN_CHAIN ("memberOf:1.2.840.113556.1.4.1941:=") searches

thanks in advance,

like image 592
user331465 Avatar asked Dec 21 '22 00:12

user331465


2 Answers

I think that you are getting confused between groups and nodes.

The Directory tree

A Directory is tree in which every object is a node. Active-Directory is a bit special because only a few objects like organizationalUnits(OU), Domains or Containers can be nodes containing user objects.

So a directory search consists of:

  1. The node that the search begins from which is identified by a Distinguish Name (DN)
  2. The attibutes you want to be brought back
  3. The depth of the search (base, one-level, subtree)
  4. The filter.

Each object in the directory contains attributes, with a name and a syntax. For some attributes like member, memberOf, manager, managedBy, Microsoft provides a special syntax called uniqueName. This syntax is for a distinguished name, but the directory provides a kind of relational integrity for these attributes. This means that, for example, if you move the object in the directory, the DN inside this attribute will retain its value. If you move a user, the member attribute in groups it belongs to is adjusted automatically.

Now LDAP_MATCHING_RULE_IN_CHAIN.

When a user X is member of group A. The user X DN is in the member attribute of the A group, the A group DN is in the memberOf attribute of the user X. If group A is member of group B, user X belongs to group B but the B group DN is NOT in the memberOf attribute of user X. Here you can use LDAP_MATCHING_RULE_IN_CHAIN to find recursive belonging to groups. This is a special extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

Microsoft example of such a query is one designed to check if a user "user1" is a member of group "group1". You would set the base to the user DN (cn=user1, cn=users, dc=x) and the scope to base, and use the following query.

(memberOf:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x)

Similarly, to find all the groups that "user1" is a member of, set the base to the groups container DN; for example (OU=groupsOU, dc=x) and the scope to subtree, and use the following filter.

(member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)

So LDAP_MATCHING_RULE_IN_CHAIN has nothing to do with the directory tree node.

like image 137
JPBlanc Avatar answered Feb 13 '23 07:02

JPBlanc


I've edited this because the listing was unnecessary...

Change your filter to:

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Employees,CN=Users,DC=cloud,DC=com))
like image 35
Daro Avatar answered Feb 13 '23 07:02

Daro