I try to build a ldap query to MS Active Directory. I found that there is a LDAP_MATCHING_RULE_IN_CHAIN type to do so. Which results in the follow syntax:
(&(sAMAccountName=Benna)(memberof:1.2.840.113556.1.4.1941:=CN=Group1,OU=Root,DC=domain,DC=local))
Problem is:
The query* enumerate online the first nested group.
In my example the Group1 has the follow member groups:
- Domain Administrators
- Domain Members
- Domain Computers
And Benna is in Group Domain Members, but the query dont give me a result*.
When I change the filter to
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Group1,OU=Root,DC=domain,DC=local))
I can see, that the query enumerates only members of the Group "Domain Administrators"*.
So thats the reason that it not matches my query above.
Any reason why this happens?
*Tested with adsiedit.msc
EDIT:
ok – it seams that this is the reason
https://support.microsoft.com/en-us/kb/275523
but is it possible to build a query to the nested group also for the primaryGroupID attribute? Or is there any way to have a single ldap query, where you can use to find if a user is member of a group (which can also have nested groups)?
Thanks,
Thomas
Best Answer
ok - it seams, that the limitation is made of the domain forest level lower than 2003.
https://support.microsoft.com/en-us/kb/275523
After change the forest mode to 2003 it should work. I changed, but currently it dont work... will wait some minutes and hope that it is the solution.