Search code examples
pythonldappython-ldap

LDAP extensible match filter LDAP_MATCHING_RULE_IN_CHAIN

When I run the following I end up with a good list of results:

base = 'OU=Security Groups,OU=Groups,DC=myserver,DC=com'
criteria = 'CN=My Example'
attributes = ['member', 'groupType', 'description', 'memberOf']

result = connection.search_ext_s(base, ldap.SCOPE_SUBTREE, criteria, attributes, sizelimit=0)

However I can't seem to find anything that helps me when using an LDAP_MATCHING_RULE_IN_CHAIN. 

base = 'OU=Security Groups,OU=Groups,DC=myserver,DC=com'
criteria = '1.2.840.113556.1.4.1941:=CN=MatchedRuleChainExample'
attributes = ['member', 'groupType', 'description', 'memberOf']

result = connection.search_ext_s(base, ldap.SCOPE_SUBTREE, criteria, attributes, sizelimit=0)

The above always returns blank. Can anyone help me grasp this? I feel completely lost on how to get through the subgroups in Python.

Solution

  • This criteria syntax 1.2.840.113556.1.4.1941:=CN=MatchedRuleChainExample is wrong.

    The string representation of an LDAP extensible match filter must be comprised of the following components in order :

    • An opening parenthesis
    • The name of the attribute type, or an empty string if none was provided
    • The string ":dn" if the dnAttributes flag is set, or an empty string if not
    • If a matching rule ID is available, then a string comprised of a colon followed by that OID, or an empty string if there is no matching rule ID
    • The string ":="
    • The string representation of the assertion value
    • A closing parenthesis

    To sum it up, it should look like : 

    ([<attr>][:dn][:<OID>]:=<assertion>)

# In your case, fixing the attribute position :
(cn:1.2.840.113556.1.4.1941:=MatchedRuleChainExample)

    But there is another issue here : LDAP_MATCHING_RULE_IN_CHAIN only works when used with Distinguished Names (DN) type attributes (like member or memberOf that are commonly used with extensible match filter), but cn is not, so it can't work.

    To grab all Security Groups member of CN=My Example, including nested groups, use the memberOf attribute with extensible match and apply it to the group's dn.

    # Fixing the attribute type and assertion value :
(memberOf:1.2.840.113556.1.4.1941:=<groupDN>)

    Also, you need to filter objectClass to match only group entries (group members could also be users or machines). So in the end, the filter criteria should look like :

    (&(objectClass=groupOfNames)(memberOf:1.2.840.113556.1.4.1941:=CN=My Example,OU=Security Groups,OU=Groups,DC=myserver,DC=com))

    cf. Active Directory Group Related Searches

    Note that LDAP_MATCHING_RULE_IN_CHAIN is available only on Domain Controllers with Windows Server 2003 R2 (or above).