ldap nested group membership
Is it possible to create an LDAP query which will return (or check for) users in a nested group? e.g. UserA is a member of GroupA, and GroupA is a member of GroupB. I want a query on GroupB to return that UserA is a member. LDAP only. The server is Active Directory.
Yes, using the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941). For example:
(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=x)
see http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx
You must use the full distinguished name of your group when using memberOf:1.2.840.113556.1.4.1941:=
in my case CN=MyGroup,OU=User,OU=Groups,OU=Security,DC=domain,DC=com
was the whole distinguished name
(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=User,OU=Groups,OU=Security,DC=domain,DC=com))
you can get the distinguished name of you group by running the following code and putting in this filter (&(objectClass=group)(name=MyGroup))
Imports System.DirectoryServices
Module Module1
Sub Main()
Dim run As Boolean = True
Dim Filter As String
While run
Console.WriteLine("Enter Filter:")
Filter = Console.ReadLine()
If Filter = "exit" Then
run = False
Else
checkFilter(Filter)
End If
End While
End Sub
Function checkFilter(Filter As String) As Boolean
Dim search As New DirectorySearcher("LDAP://dc=Domain,dc=com")
Try
search.Filter = Filter
search.PropertiesToLoad.Add("name")
search.PropertiesToLoad.Add("distinguishedName")
search.SearchScope = SearchScope.Subtree
Dim results As SearchResultCollection = search.FindAll()
If results Is Nothing Then
Console.WriteLine("Nothing")
Return False
Else
If results.Count() = 0 Then
Console.WriteLine("non found")
End If
Dim result As SearchResult
For Each result In results
Console.WriteLine(result.Properties("name")(0).ToString())
Console.WriteLine(result.Properties("distinguishedName")(0).ToString())
'For Each prop In result.Properties("members")
' Console.WriteLine(prop.ToString())
'Next
Next
Console.WriteLine(String.Format("{0} Users Found", results.Count()))
End If
Catch ex As Exception
Console.WriteLine(ex.Message)
End Try
Return True
End Function
End Module
Per your question, the query should be
(&(memberOf:1.2.840.113556.1.4.1941:={0})(objectCategory=person)(objectClass=user)(sAMAccountName={1}))
{0}
is the nested group, it should be a Distinguished name
{1}
is the user sAMAccountName you want (you could use any other user property than sAMAccountName within (sAMAccountName={1})
)
Then you will get the user detail for response if the user is the member of nested group