Geek Answers Handbook

AD via LDAP - How can I return all ancestor groups from a query?

I am querying Active Directory through LDAP (from Java and PHP) to create a list of all the groups the user is a member of. This list should contain all the least of all groups (optional organizational units) that contain the groups to which the user directly belongs. For example:

User1 is a member of GroupA, GroupB and GroupC.

GroupA is a member of GroupD.

I am looking for a way to create an LDAP query that will immediately return GroupA, GroupB, GroupC and GroupD.

My current implementation is lower, but I am looking for a more efficient way to collect this information.

The current implementation of naivety (in pseudo-code)

user = ldap_search('samaccountname=johndoe', baseDN); allGroups = array(); foreach (user.getAttribute('memberOf') as groupDN) { allGroups.push(groupDN); allGroups = allGroups.merge(getAncestorGroups(groupDN)); } function getAncestorGroups(groupDN) { allGroups = array(); group = ldap_lookup(groupDN); parents = group.getAttribute('memberOf'); foreach (parents as groupDN) { allGroups.push(groupDN); allGroups = allGroups.merge(getAncestorGroups(groupDN)); } return allGroups; }
+7
java php active-directory ldap
source share
2 answers

You need to map the directory tree while moving through it so that you can check whether you have previously studied the DN, some active directories contain cyclic group inclusions. Therefore, you need to protect yourself from it.

This solution also does not require recursion.

In some pseudo code

 def getGroupsOfDN(userDN) groups = [] groupsExplored = [] groupsToExplore = [] current = userDN groupsToExplore << userDN while(!groupsToExplore.empty?) ldapentry = ldap_lookup(current) if (!ldapentry.nil?) groups << current current_groups = ldapentry.getAttributes("memberOf") current_groups.each do |groupDN| if(groupsExplored.indexOf(groupDN) != -1) groupsToExplore << groupDN groupsExplored << groupDN end end end groupsToExplore.remove(current) if (!groupsToExplore.empty?) current = groupsToExplore.get(0) end return groups end
+2
source share

Active Directory provides a special search filter option that allows you to filter through a chain of objects, such as nested groups. The features are described here .

The following is an example of retrieving all users in a group, including nested groups:

 (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))

where {0} is the parent group DN.

+7
source share

More articles:


All Articles