I need to implement nested group membership for generic AD services. Previously, i was using a specific search-filter ("member:1.2.840.113556.1.4.1941:=") through which using a single search request, i was able to get hold of all group membership through which that user was part of. However, it looks like that search-filter seems to work only for MS AD servers and not for generic AD servers.
So, is anybody aware of any specific search filter which we can send in a search request (applicable to All AD servers), through which i can derive nested group membership via a single search query.
Thanks in advance for your help on this.
"member:1.2.840.113556.1.4.1941" is LDAP_MATCHING_RULE_IN_CHAIN and might very well not be implemented by other LDAP vendors. LDAP Wiki
Edit:
You could do something like this if you want to reurse the groups:
Use the filter:
(&(objectCategory=organizationalPerson)(objectClass=User)(sAMAccountName=YOURUSER)
get "distinguishedName" (this is the user's distinguishedName)
get "memberOf" (this is a collection of distinguishedNames of the groups the user is a member of (minus the primary group in MS Active Directory, which should be "Domain Users"))
Foreach memberOf in the collection: (This is the first level, so there is no need to check if he is there, because he is.)
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))
get "member" (this is a collection of distinguishedNames of group members)
Foreach memberOf in the collection:
This is the second level (the groups within the groups), so first check if the users distinguishedName is present.
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))
get "member" (this is a collection of distinguishedNames of group members)
Foreach memberOf in the collection:
This is the third level (the groups within the groups), so first check if the users distinguishedName is present.
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))
get "member" (this is a collection of distinguishedNames of group members)
etc.