AD nested groups

[Hong Ye]

Hi,

Does anyone know how to get all the AD group membership including nested groups for a user in AttributeResolver? I tried the solution below, but it’s very slow. Is there any other solution?

<!-- get the user's DN from the main LDAP connector (myLDAP) for searching the groups the user is in -->
    <resolver:AttributeDefinition id="distinguishedName" xsi:type="ad:Simple"
              sourceAttributeID="distinguishedname">
        <resolver:Dependency ref="psdldap" />
        <!-- no encoder needed, use your existing ldap connector as dependency -->
    </resolver:AttributeDefinition>

    <!-- search for all groups the user is recursively in - and flatten the distinguishedName(s) of all the groups into a single multivalued attribute (copy from existing connector, note searchTimeLimit) -->
    <resolver:DataConnector id="groupLDAP" xsi:type="dc:LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldap://ldap-server:389" baseDN="your base dn" principal="Admin User CN" principalCredential="Admin Pass" useStartTLS="false" maxResultSize="1000" mergeResults="true" searchTimeLimit="0">
        <resolver:Dependency ref="distinguishedName" />
        <dc:FilterTemplate>
            <![CDATA[
                (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})
            ]]>
        </dc:FilterTemplate>
        <dc:ReturnAttributes>distinguishedName</dc:ReturnAttributes>
        <dc:LDAPProperty name="java.naming.referral" value="follow"/>
    </resolver:DataConnector>

    <resolver:AttributeDefinition id="memberOf" xsi:type="ad:Simple"
              sourceAttributeID="distinguishedName">
        <resolver:Dependency ref="groupLDAP" />
        <!-- no encoder needed -->
    </resolver:AttributeDefinition>

Thanks,
Hong



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170725/13382ed2/attachment-0001.html>