Search all AD user groups by LDAP protocol
By occupation, I often have to deal with services integrating with AD. Unfortunately, in the majority of such services there is absolutely no support for such a convenient AD feature as Nested Groups.
Is it really so difficult to organize the transfer of all nested user groups?
At first glance, to solve the task at a minimum, it will be necessary to organize a cyclic function call to get groups that include a user group and so on. With this approach, it is important not to forget and handle the possible situation when group A is nested in group B, and group B is nested in group A.
And if verification of group membership is called often enough, then this approach may require significant computational resources.
There is a wonderful Active Directory article : LDAP Syntax Filters
This is an interesting example of an LDAP filter for getting user groups, including nested:
Also on MSDN there is a Search Filter Syntax article describing the existing Matching Rules that can be used in LDAP filters in conjunction with Active Directory. In this article, the LDAP_MATCHING_RULE_IN_CHAIN rule is described in more detail:
Thus, the task of processing group nesting is easily transferred to the AD server.
')
Some services allow the administrator to configure the LDAP filter when searching for user groups when setting up - in this case the administrator can change his behavior with respect to nested groups without interfering with the application code. Enough filters:
replaced by
An example of using extensible comparison rules on PowerShell
Is it really so difficult to organize the transfer of all nested user groups?
At first sight.
At first glance, to solve the task at a minimum, it will be necessary to organize a cyclic function call to get groups that include a user group and so on. With this approach, it is important not to forget and handle the possible situation when group A is nested in group B, and group B is nested in group A.
And if verification of group membership is called often enough, then this approach may require significant computational resources.
But there is a way out.
There is a wonderful Active Directory article : LDAP Syntax Filters
This is an interesting example of an LDAP filter for getting user groups, including nested:
(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com) Also on MSDN there is a Search Filter Syntax article describing the existing Matching Rules that can be used in LDAP filters in conjunction with Active Directory. In this article, the LDAP_MATCHING_RULE_IN_CHAIN rule is described in more detail:
This rule applies only to attributes of the distinguishedName type. This special match operator modifier allows you to bypass the entire tree of nested objects.
Thus, the task of processing group nesting is easily transferred to the AD server.
')
How can this knowledge be useful to administrators?
Some services allow the administrator to configure the LDAP filter when searching for user groups when setting up - in this case the administrator can change his behavior with respect to nested groups without interfering with the application code. Enough filters:
(member=cn=Jim Smith,ou=West,dc=Domain,dc=com) (memberOf=cn=Sales,ou=West,dc=Domain,dc=com) replaced by
(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com) (memberOf:1.2.840.113556.1.4.1941:=cn=Sales,ou=West,dc=Domain,dc=com) An example of using extensible comparison rules on PowerShell
Source: https://habr.com/ru/post/187044/
All Articles