group membership from AD nested groups

IAM David Bantz dabantz at
Tue Dec 15 23:19:34 UTC 2020

I see some short discussions from years past, but am hoping for updates
with greater clarity.

Do you search nested groups in Active Directory to obtain all group
memberships for users?
2017 exchange in this list described use of LDAP_MATCHING_RULE_IN_CHAIN
matching rule (OID 1.2.840.113556.1.4.1941)
but noted “it’s very slow”, a verdict echoed in multiple other sites.

I have one service asking to receive group memberships including
memberships implied by nested AD groups,
but am wary of using 1.2.840.113556.1.4.1941 from the sparse information I
have found.

Are IdP’s regularly using this technique to retrieve implied group members?
An alternative strategy (explicit iteration in some script, say)?
Relying only on direct group memberships or eduPersonEntitlement or other
“flattened” source for entitlements?

If you do return implicit group memberships via LDAP query to AD, can you
provide details?
(My attempt to implement in Apache Directory Studio robustly returns no

David St.Pierre Bantz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list