I have an active directory (AD) test instance with nested groups: Employees (Parent) with two subgroups: Executives and Engineers.
Tree:
Employees
|
-Executives
| |
| -Mister Executive
|
-Engineers
|
-Joe Engineer
I see that the AD-extension LDAP_MATCHING_RULE_IN_CHAIN will search the subtree; I can search for all users who are employees with this query:
query:
( & (objectClass=person) (memberOf:1.2.840.113556.1.4.1941:=CN=Employees,CN=Users,DC=cloud,DC=com))
The Problem: Recursive Search, but no Recursive Results
However, I cannot find a way to get the "subtree search results", i.e. while the query returns "Mister Executive" as an "Employee", the 'memberOf' attribute only lists "Executives", i.e. the group to which he directly belongs. I've checked all other attributes and don't see any 'employee'
Recap
So for final clarification: does AD allow any way to retrieve "subtree memberOf" results along with "subtree" LDAP_MATCHING_RULE_IN_CHAIN ("memberOf:1.2.840.113556.1.4.1941:=") searches
thanks in advance,
I think that you are getting confused between groups and nodes.
The Directory tree
A Directory is tree in which every object is a node. Active-Directory is a bit special because only a few objects like organizationalUnits
(OU), Domains
or Containers
can be nodes containing user objects.
So a directory search consists of:
Each object in the directory contains attributes, with a name and a syntax. For some attributes like member
, memberOf
, manager
, managedBy
, Microsoft provides a special syntax called uniqueName
. This syntax is for a distinguished name, but the directory provides a kind of relational integrity for these attributes. This means that, for example, if you move the object in the directory, the DN inside this attribute will retain its value. If you move a user, the member
attribute in groups it belongs to is adjusted automatically.
Now LDAP_MATCHING_RULE_IN_CHAIN
.
When a user X is member of group A. The user X DN is in the member attribute of the A group, the A group DN is in the memberOf attribute of the user X. If group A is member of group B, user X belongs to group B but the B group DN is NOT in the memberOf attribute of user X. Here you can use LDAP_MATCHING_RULE_IN_CHAIN
to find recursive belonging to groups. This is a special extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.
Microsoft example of such a query is one designed to check if a user "user1" is a member of group "group1". You would set the base to the user DN (cn=user1, cn=users, dc=x) and the scope to base, and use the following query.
(memberOf:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x)
Similarly, to find all the groups that "user1" is a member of, set the base to the groups container DN; for example (OU=groupsOU, dc=x) and the scope to subtree, and use the following filter.
(member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
So LDAP_MATCHING_RULE_IN_CHAIN
has nothing to do with the directory tree node.