All Apps and Add-ons

How can I flatten nested Active Directory group members for ldapsearch filter?

Communicator

I am using an ldapsearch as a filter for my events. The sAMAccount name matches the User. It works perfectly for the direct group members but does not unpack members of nested groups in the AD group. Hoping there is a simple step I'm missing. Thanks for any suggestions.

index="my_index"
[| ldapsearch domain="mydomain" search="(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=MY Group Name,ou=delegated,ou=groups,dc=amr,dc=corp,dc=mydomain,dc=com))"
| table sAMAccountName
| rename sAMAccountName as User]
...rest of search

0 Karma

Contributor

AD does have a "magic string" (1.2.840.113556.1.4.1941) you can add to get this. Using your example the SPL would look like so:

index="my_index"
[| ldapsearch domain="mydomain" search="(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=MY Group Name,ou=delegated,ou=groups,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="sAMAccountName"
| table sAMAccountName
| rename sAMAccountName as User]
...rest of search

This also works in reverse say you want to get all groups including the nested groups for a user like so:

| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn"

That will give you all groups a user belongs to, but a bit tougher to single out just the nested groups:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer))(cn=username))" attrs="cn,memberOf"
| append 
    [| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn"
    | rename dn AS memberOfNested
    | table memberOfNested
    | eval cn = "username"
    ]
| filldown memberOf
| eval nested = if(match(memberOf,memberOfNested),null(),memberOfNested)
| fields - memberOfNested
| stats values(*) AS * BY cn

The AD documentation can be seen here: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filter...
Pay careful attention to Note 10:

The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).

0 Karma