Reputation: 3402
Inconsistent LDAP filter results
I'm attempting to find out if a user is an indirect member of a specific AD group. This is done from a Delphi XE5 program but, for clarity, I have written (and tested) my samples in PowerShell.
Unfortunately, I receive completely inconsistent results from my LDAP queries: the same query will sometime work fine and, sometimes, return that the user isn't member of the given group.
Here is a (powershell) sample of what I'm attempting:
get-aduser -LDAPFilter "(memberof:1.2.840.113556.1.4.1941:=CN=egaa_app,OU=Applications,OU=access,OU=groups,OU=xxx,DC=xxx,DC=xxx,DC=xxx)" -SearchBase "CN=usr-sgr,OU=expert1,OU=experts,OU=remoteusers,OU=users,OU=exogit,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
The above command should return the user usr-sgr object if it is directly or indirectly member of the AD groupegaa_app,OU=Applications,OU=access,OU=groups,OU=xxx,DC=xxx,DC=xxx,DC=xxx
Yet, when I run it once, I get an empty result. If I open the user in the AD MMC and update it somehow (in my case, I changed the user's "primary group" and then changed it back), the same query successfully returns the user object.
I have also attempted to use the "reverse" query (which check if a given group contains the user indirectly) and I witnessed the same behavior.
All this was done on a member server (Windows 2008 R2, patched), from within the same login session.
Upvotes: 1
Views: 786
Answers (1)
Reputation: 72630
I think I can explain this to you.
First a small recall of the LDAP_MATCHING_RULE_IN_CHAIN :
The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to provide a method to look up the ancestry of an object. An example of such a query is one designed to check if a user "user1" is a member of group "group1". You would set the base to the user DN (cn=user1, cn=users, dc=x) and the scope to base, and use the following query.
(memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x)
Here the attribute memberof is the one that is going to be searched in chain in each group object. Use the attribute editor from the 'user & computer active directory' MMC to follow this attribute :
And then change the primary group, you will see that the new primary group disappear from the memberof attribute list, and the old one appear in the attribute.
Conclusion, the primary group is unsupported by the LDAP_MATCHING_RULE_IN_CHAIN.
In any case be careful to setup the scope -SearchScope in PowerSell.
By the way, for me, the best tool to test this kind of filter is LDIFDE.EXE.
ldifde -f c:\temp\test.ldif -d "CN=Jean-Paul Blanc,OU=Interne,OU=Silogix,DC=silogix,DC=local" -r "(memberof:1.2.840.113556.1.4.1941:=CN=bidon,OU=Interne,OU=Silogix,DC=silogix,DC=local)" -p base
Upvotes: 1
Related Questions
- LDAP query in PowerShell
- Get-ADUser -LDAPFilter using AND and OR
- Powershell LDAP Filter with DirectorySearcher
- LDAP Query returns incorrect results
- Combine LDAP filters
- LdapFilter not accepting Parentheses
- Simple LDAP Query Returning nothing with multiple CN selection
- LDAP filter not returning appropriate number of entries
- Active Directory Query returning empty fields where it shouldn't
- Can someone please advise with a simple -ldapfilter