I have a lot of applications at work which do not support Active Directory but instead rely on LDAP queries for granting user access. A problem we have is much of our access is granted to a security group (known as a ROLE) and users are granted to that single security group to get access to things. This allows easier access granting to new hires / transfers. The problem is it makes LDAP queries much more difficult. Things are further complicated by the fact that sometimes users are directly granted access to resources instead of going through their ROLE security group.
Nested LDAP group search
I spent a lot of time researching LDAP nested group queries. I now have a functional way of doing semi-nested LDAP group searches. The scenario: a user could be directly added to a security group granting access to a resource, or could be a member of a security group which has access to the resource. I want the LDAP group search string to account for both. I accomplish this by combining these two queries:
Nested group membership query
Search groups beginning with the name ROLE for a specific member, then return what that ROLE group has access to
Individually added group query
Search for all groups a specified member is a member of
I combine these two queries by separating them out with an OR operator (|)
Return the group membership of the user in question, as well as the group membership of the group beginning with the name ROLE that the user is a member of
It has three main parts:
- Begin with an or operator (|
- Have a new group with an AND operator (&
- This requires everything in this query to be true
- Make a second group with an AND operator
This works for our organization because ROLE groups are not nested within themselves and each user can only have one ROLE group assigned to them.
This combined query allows me to not have to “flatten” security groups for LDAP-bound applications. It makes me so happy.
This was made possible by a flurry of stack overflow posts:
2 thoughts on “LDAP nested group membership query”
That’s indeed a good idea. But what is the FQDN_OF_USER_IN_QUESTION? How do you format that one?
Actually, I think I might have found that: mamber=CN=COMMON_NAME,OU=…,dc=domain,dc=tld seems to work. But I still don’t get the nested groups, only the direct group membership … 🙁