[EXT] memberOf Nested Groups

Yeargan, Yancey Yancey.Yeargan at untsystem.edu
Thu May 14 23:14:32 UTC 2020

To do that, you flip things around where instead of looking at the "memberOf" attribute of user objects, you instead look at the "member" attribute of group objects.

To return all group objects, including nested, to which the user belongs, use the same "LDAP_MATCHING_RULE_IN_CHAIN" extensible LDAP search feature to query Active Directory group objects where the "member" attribute of the group object contains the distinguished name of the user. 

The simplest LDAP filter looks like this.
'(member:1.2.840.113556.1.4.1941:=CN=John Smith,CN=Users,DC=domain,DC=edu)'

To explicitly request group objects:
'(&(member:1.2.840.113556.1.4.1941:=CN=John Smith,CN=Users,DC=domain,DC=edu)(objectClass=group))'

To request only security (not distribution) groups.
'(&(member:1.2.840.113556.1.4.1941:= CN=John Smith,CN=Users,DC=domain,DC=edu)(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'




Also, note that Active Directory does not return the user's "primary group", typically "Domain Users" in LDAP searches. The primary group ID (Active Directory relative ID, or RID) is stored in attribute " primaryGroupID" of the user object, and is related to SID numbering.


Yancey Yeargan
IT Manager
IT Shared Services
Office: 940.369.7521

On 5/14/20, 3:27 PM, "users on behalf of Boyd, Todd M." <users-bounces at shibboleth.net on behalf of tmboyd1 at ccis.edu> wrote:

    Those examples approach from the group's perspective; are there any such examples for doing this from the user's perspective? I have tried some of Microsoft's super-special-secret memberOf hacks to pull nested group memberships per-user, but it wound up choking our DCs to the floor.


    From: users <users-bounces at shibboleth.net> on behalf of Yeargan, Yancey <Yancey.Yeargan at untsystem.edu>
    Sent: Thursday, May 14, 2020 1:48:44 PM
    To: Shib Users
    Subject: Re: [EXT] memberOf Nested Groups

    CAUTION!: This email originated from outside of Columbia College.

    Take a look at the ldapwiki site. Active Directory supports a nested group query. If using an LDAP product from a different vendor, you will need to find a different way.

    Yancey Yeargan
    IT Manager
    IT Shared Services
    Office: 940.369.7521

    From: users <users-bounces at shibboleth.net> on behalf of Joshua Brodie <josbrodie at gmail.com>
    Reply-To: Shib Users <users at shibboleth.net>
    Date: Thursday, May 14, 2020 at 12:58 PM
    To: users <users at shibboleth.net>
    Subject: [EXT] memberOf Nested Groups


    Is there a way to obtain memberOf for nested groups memberships?

    For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7C1c33c521107a4fdced0308d7f84543ba%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C637250848684910811&sdata=820mFD6L%2B3nVemuPA9Kg3x2waw8fKI%2BKlJU68SRUMig%3D&reserved=0
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list