Reputation: 12720
LDAP query to enumerate of all users of the subgroups of a group
This LDAP query successfully enumerates all users within a group:
memberOf=CN=MySubGroup1,OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
The group MyGroup1 has two subgroups: MySubGroup1, MySubGroup2. In order to get all the users of MyGroup1, I could make a query to get the users of MySubGroup1, another query to get the users of MySubGroup1, and then make the union.
However, I am asking how I can achieve the same results with only one LDAP query, asking for all the users within MyGroup1 and sub-groups.
Any idea?
Upvotes: 2
Views: 15273
Answers (2)
Reputation: 5885
If your server is Microsoft Active Directory then you can use some extended rules. One of those rules does basically what you are looking for. Look at this answer.
Try this:
memberof:1.2.840.113556.1.4.1941:=CN=Some Group,OU=My Organization Unit,DC=company,DC=com
Quoting from that answer:
[...] it is possible, when using Microsoft AD LDAP, to do authorization using nested groups by using LDAP_MATCHING_RULE_IN_CHAIN matching rule. This is much faster than searching subgroups on the client, because it is done on the DC server with less queries over network.
1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN This rule is limited to filters that apply to the DN. This is a special "extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.
Upvotes: 3
Reputation: 11132
There is no such thing as a subgroup, just groups. The correct term is subordinate,
i.e., cn=mysubgroup1 is subordinate to ou=mygroup1, and so forth.
Use the following parameters in an LDAP search request:
- base object:
OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com - search scope:
subif there is more than one 'level' beneathou=mygroup1,oneotherwise - filter:
(|(cn=mysubgroup1)(cn=mysubgroup2)) - requested attribute: whichever multi-valued attribute whose value is the distinguished name of each member of the group
These search request parameters should result in a search result with two entries, the distinguished of each entry, and the attributes whose values are the distinguished names of the members of each group.
see also
Upvotes: 3
Related Questions
- LDAP query to get list of members in an AD group
- LDAP Query to check if user exists in a group or subgroup
- LDAP query to get the list of users which are matching the group pattern
- Query to list all users of a certain group
- LDAP Query to List All Groups User is a Member of?
- ldap query for group members
- LDAP query to retrieve members of a group
- single line LDAP query that enumerates users from a group within a supergroup
- LDAP query that retrieves all the groups to which the user has access
- Get groups of person