I need information regarding LDAP search filter to extract nested group membership. Basically, my idea is say for instance, a user is belonging to 5 groups [A, B, C, D, E] Can I write a single LDAP search query to get the member groups to which group [A, B, C, D, E] may be a part of? And I can use this logc recursively to retrieve all group information till the complete root of the AD?
And I need this solution to be for generic AD, so I cannot use LDAP_RULE_IN_CHAIN filter which works only for MS AD.
Groups are not something defined in the LDAP standard. As far as LDAP is concerned, group entries are just LDAP entries -- nothing more. The implementation of group support including how data structures like nested and dynamic groups are handled, queried, verified, etc. is totally up to the directory software vendor. For example, IBM's Security Directory Server (SDS) software supports nested and dynamic groups through its own proprietary objectclasses and attributes, which are specially recognized by the software, and traversing (for nested groups) and expansion (for dynamic groups) to verify membership or to obtain group structure are automatically done for the LDAP client. For instance, SDS provides operational attributes like ibm-allgroups
and ibm-allmembers
to help LDAP clients to pull group and membership information in nested and dynamic groups in single searches. Other directory vendors solve the same problem differently. Therefore, your solution will vary depending on the LDAP software you use. You can design your application to support multiple directory server software, but that depends on how sophisticated you want to get with group support in your application.