I am trying to retrieve all the AD groups for the authenticating user in my Java app, where the groups come from two different organizational units. So far I can only retrieve one set of groups, or the other, using Spring Security and setting the search base either of:
OU=RoleGroups,OU=UEU,OU=rEU,DC=ah1,DC=ad,DC=megacorp,DC=com
or
OU=RoleGroups,OU=MOR,OU=rEU,DC=ah1,DC=ad,DC=megacorp,DC=com
These only return a result when I use them with the simple search filter:
(member=CN=Adam,OU=Users,DC=ah1,DC=ad,DC=megacorp,DC=com)
Spring Security with the spring-security-ldap library only allows me to make one query otherwise I will have to start overriding the 3rd party library classes to make my second call.
I've just been trying to work out if I can apply anything from these 2 SO questions:
LDAP root query syntax to search more than one specific OU
Spring LDAP authentication with multiple user OU and multiple access CNs
but a solution still eludes me. As far as I can tell by changing everything to do groups instead of users, I should be doing the following:
Use port 3268 instead of 389
Use search base
DC=ah1,DC=ad,DC=megacorp,DC=comUse search filter
(&(objectCategory=RoleGroup)(objectclass=group)(member={0}))
and this should run my query as a 'global catalog search'. I can't get this to work - no results returned - with any variation of my search base from null to zero-length string to the above, and varying my search filter hopefully intelligently.
There is also an AD global catalog search technique using some sort of number reference to a userAccountControl etc but it's far from clear with doing a deep dive into Microsoft AD whether there's a similar "groupControl" attribute.
I see an Org Unit called RoleGroups and this is Active Directory, but I don't know if I should be referring to it in my search filter as above like this:
&(objectClass=group)(member={0}))
or
&(objectCategory=RoleGroup)(objectclass=group)(member={0}))
where I have objectClass, objectclass, objectCategory or objectcategory and nothing but trial and error to guide me - and so far, it is all error.
The complete lack of returned groups when I try to search from the DC=megacorp,DC=com search base using a simple filter gives me a suspicion that I may have configured something wrong. But what that is I don't know. I have set the available Spring config properties such as searchSubtree=true, and derefLink=true
I decided to dig deeper into the issue using the Microsoft AD Client tool dsquery.
Initially I had a problem with brackets in the distinguished name, e.g.:
$ dsquery user -samid craxyz01
"CN=Bloggs\, Joe (SUPERHERO AGSC),OU=Users,OU=Client,DC=ah1,DC=ad,DC=megacorp,DC=com"
To get dsquery to respond, I had to escape the brackets:
$ dsquery * "DC=ah1,DC=ad,DC=megacorp,DC=com" -filter "(&(objectClass=group)(member=CN=Bloggs\, Joe \28SUPERHERO AGSC\29,OU=Users,OU=Client,DC=ah1,DC=ad,DC=megacorp,DC=com))"
This query drills down through all org units below DC=ah1,DC=ad,DC=megacorp,DC=com, so it picks up all groups, whether in OU=UEU or OU=MOR.
So now in my Java app with
group search base=DC=ah1,DC=ad,DC=megacorp,DC=com
and group search filter=(&(objectClass=group)(member={0}))
it's pretty obvious that Spring is doing something wrong, maybe not escaping the slash /, but it's hard to tell because of the reflection it does. It does call LdapEncoder.filterEncode() which looks like it should work.
Thanks to https://superuser.com/questions/1107493/dsquery-parameters
I'll post a new question directly about spring-security and make sure it pings back the link.