Search code examples
active-directorynested-groups

Active Directory search query for nested groups with wildcard pattern in search filter

I am trying to allow the users from nested groups in Active Directory to login to my spring boot/security based application. I have figured how to provide the search query through spring-security configuration, but I am having trouble with the search query itself.

Here is the search query that is currently working as expected:

(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
  (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))

This is working as expected as user1 belongs to parent_group1 or one of its sub groups. But I have more than one parent_group, with constant prefix. So I am trying to provide wildcard in that query as CN=parent_group*, but its not working.

I have seen a variation here where each parent_group can be added with an OR like this:

(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
   (|(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
     (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group2,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
     (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group3,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)

And this works too. But the problem with this is, every time a new new parent group is added this needs to be updated. I have gone through the link specified in the answer to the above question, but nothing from there works.

Ideally, I was hoping something like this would work (wildcard pattern for parent_group):

(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
  (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))

But its not working. It doesn't return any results. Can someone help me if there is a better way of doing this?

Also, is it possible not to mention the entire hierarchy like this? CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local

I have been researching on this for a couple of days now and gone through most of the articles provided online or on SO, but nothing with the wildcard pattern with the chain command works so far.

Solution

  • It is not possible to do what you describe. You'd be well served by having one parent group which all your "other" parent groups are nested in. Anytime a new parent group is created, you would nest it in your master group so that it's granted access. This is a pretty common model.