Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ldap nested group membership

People also ask

Does LDAP support nested groups?

An LDAP security domain can contain nested LDAP groups. The Service Manager can import nested groups that are created in the following manner: Create the groups under the same organizational units (OU). Set the relationship between the groups.

What is nested group membership?

A 'nested group' is a group which is a member of another group. If you are using groups to manage permissions, you can create nested groups to allow inheritance of permissions from one group to its sub-groups.

What is nested group in LDAP?

Defining Nested Groups The developers group has two members: a person miranda and another group senior-developers . The senior-developers group has a single member: a person suzanne . When a group has another group as a member we call it a “nested group”.

What is group membership in LDAP?

Use the LDAP Group Members Connector to retrieve the members of LDAP groups. This component returns the user entries of group members, and not the group entries themselves. You can access information about the containing group and the parent/ancestor groups through properties.


Yes, using the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941). For example:

(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=x)

see http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx


You must use the full distinguished name of your group when using memberOf:1.2.840.113556.1.4.1941:= in my case CN=MyGroup,OU=User,OU=Groups,OU=Security,DC=domain,DC=com was the whole distinguished name

(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=User,OU=Groups,OU=Security,DC=domain,DC=com))

you can get the distinguished name of you group by running the following code and putting in this filter (&(objectClass=group)(name=MyGroup))

Imports System.DirectoryServices

Module Module1

Sub Main()
    Dim run As Boolean = True
    Dim Filter As String
    While run
        Console.WriteLine("Enter Filter:")
        Filter = Console.ReadLine()
        If Filter = "exit" Then
            run = False
        Else
            checkFilter(Filter)
        End If
    End While
End Sub

Function checkFilter(Filter As String) As Boolean
    Dim search As New DirectorySearcher("LDAP://dc=Domain,dc=com")
    Try
        search.Filter = Filter
        search.PropertiesToLoad.Add("name")
        search.PropertiesToLoad.Add("distinguishedName")
        search.SearchScope = SearchScope.Subtree
        Dim results As SearchResultCollection = search.FindAll()
        If results Is Nothing Then
            Console.WriteLine("Nothing")
            Return False
        Else
            If results.Count() = 0 Then
                Console.WriteLine("non found")
            End If
            Dim result As SearchResult
            For Each result In results
                Console.WriteLine(result.Properties("name")(0).ToString())
                Console.WriteLine(result.Properties("distinguishedName")(0).ToString())
                'For Each prop In result.Properties("members")
                '    Console.WriteLine(prop.ToString())
                'Next
            Next
            Console.WriteLine(String.Format("{0} Users Found", results.Count()))
        End If
    Catch ex As Exception
        Console.WriteLine(ex.Message)
    End Try
    Return True
End Function

End Module

Per your question, the query should be

(&(memberOf:1.2.840.113556.1.4.1941:={0})(objectCategory=person)(objectClass=user)(sAMAccountName={1}))

{0} is the nested group, it should be a Distinguished name

{1} is the user sAMAccountName you want (you could use any other user property than sAMAccountName within (sAMAccountName={1}))

Then you will get the user detail for response if the user is the member of nested group