Solved.
Assuming the following:
- Domain name: "domain.com"
- Group name: "Internet Users"
- User name: "UserName"
- Path to group: "domain.com\OU1\OU2\Internet Users"
The query for checking if the user is member of that group would be:
(&(memberOf=CN=Group Name,OU=OU2,OU=OU1,DC=domain,DC=com)(SAMAccountName=UserName))
So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):
src Internet_Users {
ldapusersearch ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet Users,OU=OU2,OU=OU1,DC=domain,DC=com))
}
Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:
src Internet_Users {
ldapusersearch ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}
Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog:
src Internet_Users {
ldapusersearch ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}
What application are you trying to configure.
There large majority of application that have some level of LDAP support as an LDAP client, simply have no support for nested groups.
Short of modifying the software, you may be out of luck.
If your LDAP server happens to be Microsoft Active Directory, then there is a non-standard search filter, that may help you.
See:
- http://support.microsoft.com/kb/914828
- http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx
The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is
designed to provide a method to look up the ancestry of an object.
Many applications using AD and AD LDS usually work with hierarchical
data, which is ordered by parent-child relationships. Previously,
applications performed transitive group expansion to figure out group
membership, which used too much network bandwidth; applications needed
to make multiple roundtrips to figure out if an object fell "in the
chain" if a link is traversed through to the end.
Best Answer
Ok, well I've used this Powershell script to do this a number of times, it produces a listing of all users and groups under the group you specify. Obviously it can be tailored to give you the output you want.
You can use the export-csv command to then get your output into a CSV file.