ldap nested group membership

askvictor picture askvictor · Jun 1, 2011 · Viewed 74.6k times · Source

Is it possible to create an LDAP query which will return (or check for) users in a nested group? e.g. UserA is a member of GroupA, and GroupA is a member of GroupB. I want a query on GroupB to return that UserA is a member. LDAP only. The server is Active Directory.

Answer

Andrew Strong picture Andrew Strong · Jun 1, 2011

Yes, using the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941). For example:

(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=x)

see http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx