Ldap Query Get All Groups (Nested) of a Group

ldap nested group membership

Yes, using the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941). For example:


see http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

LDAP query to show all groups that have nested groups

Unfortunately, what you are looking to do cannot be done with only LDAP queries. If you are running AD on Server 2003 SP2 or later, you can query for all members of a specific group, enumerating nested groups using a matching rule, but you would have to use an external process, like a PowerShell script, to actually get the results you wanted.

The matching rule I was thinking of would be used like this:


If you can use PowerShell, and can install Microsoft's ActiveDirectory module from the RSAT tools, you can do it in one line (although, it could take forever) like this:

Import-Module ActiveDirectory; Get-AdGroup -Filter {Name -like "*"} | ? { $m = Get-ADGroupMember $_; $r = Get-ADGroupMember $_ -Recursive; $c = Compare-Object $m $r; !$c.Count } | ft name,distinguishedName -AutoSize

LDAP - List group memberships for a user including nested groups

You can't do this with a simple LDAP filter. You have to write the code that chases the links yourself.

Find All AD groups recursively given SAM account in single query

No you cannot without performing multiple queries.

If your server is based off AD, it may use memberOf attribute in which case you can get user's groups in one single query but without nested groups :

ldapsearch -D 'domain\john.doe' -W -h 'ldap.domain.com' -b 'DC=domain,DC=local' '(|(userPrincipalName=john.doe@domain.com)(sAMAccountName=john.doe))' memberOf

It would be great if we could use the extensible match as an attribute request in the query above, using memberof:1.2.840.113556.1.4.1941: instead of memberOf, but it's not a maintained attribute for which you can grab values when searching groups, it can only be used for extensible match in a filter (cf. LDAP_MATCHING_RULE_IN_CHAIN), and it's specific to AD (not implemented in OpenLDAP).

On the other side, you can search for groups using filter member:1.2.840.113556.1.4.1941: but the problem is precisely that it requires knowing user's dn in the first place.

One might come with the idea of querying groups with a filter matching memberUid with user login or sAMAccountName, but it depends whether or not this attributes is maintained in your directory, and I'm pretty sure you can't have extensible match with this one, meaning this filter cannot match nested group membership.

So, in the end you need to use your second query to grab all user dn's, and for each one of them build the query that will grab that user's group membership including nested groups.

single line LDAP query that enumerates users from a group within a supergroup

Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. The capability is described here.

Here is an example of how to retrieve all users in a group, including nested groups:


where {0} is the DN of the parent group.

Related Topics

Leave a reply