[EXT] memberOf Nested Groups

Yeargan, Yancey Yancey.Yeargan at untsystem.edu
Thu May 14 23:14:32 UTC 2020 

To do that, you flip things around where instead of looking at the "memberOf" attribute of user objects, you instead look at the "member" attribute of group objects.

To return all group objects, including nested, to which the user belongs, use the same "LDAP_MATCHING_RULE_IN_CHAIN" extensible LDAP search feature to query Active Directory group objects where the "member" attribute of the group object contains the distinguished name of the user. 

The simplest LDAP filter looks like this.
'(member:1.2.840.113556.1.4.1941:=CN=John Smith,CN=Users,DC=domain,DC=edu)'

To explicitly request group objects:
'(&(member:1.2.840.113556.1.4.1941:=CN=John Smith,CN=Users,DC=domain,DC=edu)(objectClass=group))'

To request only security (not distribution) groups.
'(&(member:1.2.840.113556.1.4.1941:= CN=John Smith,CN=Users,DC=domain,DC=edu)(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'


https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_IN_CHAIN

https://ldapwiki.com/wiki/Filtering%20for%20Bit%20Fields

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/11972272-09ec-4a42-bf5e-3e99b321cf55

Also, note that Active Directory does not return the user's "primary group", typically "Domain Users" in LDAP searches. The primary group ID (Active Directory relative ID, or RID) is stored in attribute " primaryGroupID" of the user object, and is related to SID numbering.

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

Yancey Yeargan
IT Manager
IT Shared Services
________________________________
UNIVERSITY OF NORTH TEXAS SYSTEM
Office: 940.369.7521
 
 

On 5/14/20, 3:27 PM, "users on behalf of Boyd, Todd M." <users-bounces at shibboleth.net on behalf of tmboyd1 at ccis.edu> wrote:

    Those examples approach from the group's perspective; are there any such examples for doing this from the user's perspective? I have tried some of Microsoft's super-special-secret memberOf hacks to pull nested group memberships per-user, but it wound up choking our DCs to the floor.

    -Todd


    From: users <users-bounces at shibboleth.net> on behalf of Yeargan, Yancey <Yancey.Yeargan at untsystem.edu>
    Sent: Thursday, May 14, 2020 1:48:44 PM
    To: Shib Users
    Subject: Re: [EXT] memberOf Nested Groups


    CAUTION!: This email originated from outside of Columbia College.



    Take a look at the ldapwiki site. Active Directory supports a nested group query. If using an LDAP product from a different vendor, you will need to find a different way.
    https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fldapwiki.com%2Fwiki%2FActive%2520Directory%2520Group%2520Related%2520Searches&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7C1c33c521107a4fdced0308d7f84543ba%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C637250848684910811&sdata=T2Wp9agzg4hAQZE0g0eEDemJQCcgtDZMn5wJ13U6FDg%3D&reserved=0




    Yancey Yeargan
    IT Manager
    IT Shared Services
    ________________________________
    UNIVERSITY OF NORTH TEXAS SYSTEM
    Office: 940.369.7521




    From: users <users-bounces at shibboleth.net> on behalf of Joshua Brodie <josbrodie at gmail.com>
    Reply-To: Shib Users <users at shibboleth.net>
    Date: Thursday, May 14, 2020 at 12:58 PM
    To: users <users at shibboleth.net>
    Subject: [EXT] memberOf Nested Groups



    Hello: 



    Is there a way to obtain memberOf for nested groups memberships?

    -- 
    For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7C1c33c521107a4fdced0308d7f84543ba%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C637250848684910811&sdata=820mFD6L%2B3nVemuPA9Kg3x2waw8fKI%2BKlJU68SRUMig%3D&reserved=0
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list