I am using Python3 ldap3 library to query my entreprise's LDAP (AD).
Querying groups and group members works fine, excepted when I try to use extensible matching rule "LDAP_MATCHING_RULE_IN_CHAIN" (1.2.840.113556.1.4.1941) for recursive groups members querying.
Doing so gets me the following error everytime:
ldap3.core.exceptions.LDAPAttributeError: invalid attribute ExtensibleMatch:
matchingRule
Here is the code I am using:
import ldap3
s = ldap3.Server(host="<ldapServerAddress>", port=636, use_ssl=True, get_info=ldap3.ALL)
c = ldap3.Connection(s, user='<user>', password='<password>', client_strategy="SYNC", read_only=True)
c.bind()
base = '<baseDC>'
# Get "MYGROUP" distinguished name
c.search(search_base=base, search_filter="(sAMAccountName=MYGROUP)", attributes=["distinguishedName"])
dj_son = json.loads(c.response_to_json())
distinguished_name = dj_son["entries"][0]["attributes"]["distinguishedName"]
# Works fine
c.search(base, '(&(objectclass=user)(memberOf={}))'.format(distinguished_name), attributes=["sAMAccountName"])
# Raises an error "LDAPAttributeError: invalid attribute ExtensibleMatch: matchingRule"
c.search(base, '(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:={}))'.format(distinguished_name), attributes=["sAMAccountName"])
Can you guys spot any error?
Thanks for your help :-)
Finally found the source of the problem:
When using the extensive matching rule LDAP_MATCHING_RULE_IN_CHAIN, the LDAP server address must match the search base (no subdomain).
I was actually searching for an object in "subdomain.domain.com" and the LDAP server was set to "domain.com".
To make it work: