We are seeing an odd issue with Active Directory LDAP querying.
The situation is: We have a security group in a given OU. That security group needs to move to a totally different OU.
We have an application that uses LDAP to authenticate against AD, and it queries using the Active Directory LDAP_MATCHING_RULE_IN_CHAIN, so that it supports embedded groups:
(memberOf:1.2.840.113556.1.4.1941:=CN=SystemAdministrators,OU=SA Users,OU=System Administrators,OU=Departments,DC=ds,DC=example,DC=com)
An example query would be:
ldapsearch -LLL -x -W -H 'ldap://ny-dc02.ds.example.com:389' -D '[binding account details]' -b 'OU=Departments,DC=ds,DC=example,DC=com' '(memberOf:1.2.840.113556.1.4.1941:=CN=SystemAdministrators,OU=SA Users,OU=System Administrators,OU=Departments,DC=ds,DC=example,DC=com)' dn
It returns a full list of users that belong to the requested OU – as expected.
However, if we move that group out of Departments\System Administrators and into Security Groups\System Administration (and update the query appropriately):
(memberOf:1.2.840.113556.1.4.1941:=CN=SystemAdministrators,OU=System Administration,OU=Security Groups,DC=ds,DC=example,DC=com)
for example:
ldapsearch -LLL -x -W -H 'ldap://ny-dc02.ds.example.com:389' -D '[binding account details]' -b 'OU=Security Groups,DC=ds,DC=example,DC=com' '(memberOf:1.2.840.113556.1.4.1941:=CN=SystemAdministrators,OU=System Administration,OU=Security Groups,DC=ds,DC=example,DC=com)' dn
We get no results returned at all from LDAP Search.
Our first thought was "Oh, it's probably caching something". But we left the security group in its new OU for several hours and we still saw the same results.
Has anyone seen anything like this before? Any suggestions on where to troubleshoot next?
Best Answer
The search base is supposed to set to where the USER is located, rather than where the group is (location of group is included already in the option). So regardless where the group is, your search base should remain same (if user wasn't moved).