group membership from AD nested groups

Rob Gorrell rwgorrel at
Tue Dec 15 23:50:35 UTC 2020

I know this isn't directly answering your question, but since we use
Grouper to provision our AD groups, what are implied/nested membership in
Grouper actually get flattened to explicit memberships when provisioned to
AD and then our shibb IDP doesn't have to worry for the most part about
retrieval of implied group memberships in AD. There are some groups in AD
outside Grouper's provisioning, but these are hardly ever a concern for


On Tue, Dec 15, 2020 at 6:19 PM IAM David Bantz <dabantz at> wrote:

> I see some short discussions from years past, but am hoping for updates
> with greater clarity.
> Do you search nested groups in Active Directory to obtain all group
> memberships for users?
> 2017 exchange in this list described use of LDAP_MATCHING_RULE_IN_CHAIN
> matching rule (OID 1.2.840.113556.1.4.1941)
> (
> but noted “it’s very slow”, a verdict echoed in multiple other sites.
> I have one service asking to receive group memberships including
> memberships implied by nested AD groups,
> but am wary of using 1.2.840.113556.1.4.1941 from the sparse information
> I have found.
> e.g.,
> Are IdP’s regularly using this technique to retrieve implied group members?
> An alternative strategy (explicit iteration in some script, say)?
> Relying only on direct group memberships or eduPersonEntitlement or other
> “flattened” source for entitlements?
> If you do return implicit group memberships via LDAP query to AD, can you
> provide details?
> (My attempt to implement in Apache Directory Studio robustly returns no
> results.)
> David St.Pierre Bantz
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at

Robert W. Gorrell
IT Manager, Identity and Access Management
University of NC at Greensboro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list