I have a lot of applications at work which do not support Active Directory but instead rely on LDAP queries for granting user access. A problem we have is much of our access is granted to a security group (known as a ROLE) and users are granted to that single security group to get access to things. This allows easier access granting to new hires / transfers. The problem is it makes LDAP queries much more difficult. Things are further complicated by the fact that sometimes users are directly granted access to resources instead of going through their ROLE security group.
Nested LDAP group search
I spent a lot of time researching LDAP nested group queries. I now have a functional way of doing semi-nested LDAP group searches. The scenario: a user could be directly added to a security group granting access to a resource, or could be a member of a security group which has access to the resource. I want the LDAP group search string to account for both. I accomplish this by combining these two queries:
Nested group membership query
Search groups beginning with the name ROLE for a specific member, then return what that ROLE group has access to
(&(objectClass=group)(DisplayName=ROLE*)(member=FQDN_OF_USER_IN_QUESTION)(memberOf=*))
Individually added group query
Search for all groups a specified member is a member of
(&(objectClass=user)(sAMAccountName=USERNAME_OF_USER_IN_QUESTION)(memberOf=*))
I combine these two queries by separating them out with an OR operator (|)
Combined query
Return the group membership of the user in question, as well as the group membership of the group beginning with the name ROLE that the user is a member of
(|(&(objectClass=group)(DisplayName=ROLE*)(member=FQDN_OF_USER_IN_QUESTION)(memberOf=*))(&(objectClass=user)(sAMAccountName=USERNAME_OF_USER_IN_QUESTION)(memberOf=*)))
It has three main parts:
- Begin with an or operator (|
- Have a new group with an AND operator (&
- This requires everything in this query to be true
- Make a second group with an AND operator
This works for our organization because ROLE groups are not nested within themselves and each user can only have one ROLE group assigned to them.
This combined query allows me to not have to “flatten” security groups for LDAP-bound applications. It makes me so happy.
This was made possible by a flurry of stack overflow posts:
https://stackoverflow.com/questions/32829104/ldap-query-with-wildcard
https://stackoverflow.com/questions/9564120/using-wildcards-in-ldap-search-filters-queries
https://stackoverflow.com/questions/6195812/ldap-nested-group-membership