I have a scheme that looks like this:
I want to be able to one-line query SubGroup and retrieve not OverGroup, i.e.:
Values:
CN=OverGroup,OU=Groups,DC=example,DC=com
but the full enumeration of the actual Users (User A, B, C) within OverGroup, i.e.:
Values:
CN=UserA,OU=OtherOU,DC=example,DC=com
CN=UserB,OU=OtherOU,DC=example,DC=com
CN=UserC,OU=OtherOU,DC=example,DC=com
Is there a one-liner LDAP filter that could retrieve this? (It will be put into the ExternalAuth configuration 'ldap' section in a Request Tracker instance. Pretty sure I can only do this with one query the ExternalAuth module can understand.)
Everything I try does not work, and from my reading, it does not seem possible to enumerate a list of users within a group that is a member of another group with any one-line query. Thoughts?
Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. The capability is described here.
Here is an example of how to retrieve all users in a group, including nested groups:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))
where {0}
is the DN of the parent group.