Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Showing results for 
Search instead for 
Did you mean: 
nwatson-qit
Partner - Contributor II
Partner - Contributor II

Are nested AD groups supported in the Additional LDAP filter in an AD UDC

I have created a user directory connector that reads users from active directory (sync data for existing users ticked), and has an additional filter that specifies a particular AD group for users who should have access to Sens. I had hoped to nest more AD groups in this group to permit users access, but only users listed directly in the queried AD group are sync'd, not users that belong to nested groups.

Does anyone know if nested groups are permitted in a UDC LDAP query?

1 Solution

Accepted Solutions
lucienorrin
Creator
Creator

I was able to import users that are members of nested groups. The query is based on LDAP_MATCHING_RULE_IN_CHAIN, and is faster than a recursive search but still isn't very fast.

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=mygroup,OU=Groups,DC=mydomain,DC=com))

View solution in original post

5 Replies
lucienorrin
Creator
Creator

I was wondering this as well.

Did you ever get an answer?

nwatson-qit
Partner - Contributor II
Partner - Contributor II
Author

Never did. My own investigations suggested that it doesnt, but the LDAP query can be updated to OR type. which I think will overcome my initial problem. It does mean the security maintenance is a bit heavier though.

lucienorrin
Creator
Creator

I was able to import users that are members of nested groups. The query is based on LDAP_MATCHING_RULE_IN_CHAIN, and is faster than a recursive search but still isn't very fast.

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=mygroup,OU=Groups,DC=mydomain,DC=com))

larshilke
Partner - Contributor III
Partner - Contributor III

Thank you Luke for this information. It works like a charm with nested groups. I recommend that this article is marked as Answered.

DBIT
Contributor II
Contributor II

Is it possible to target nested AD group users without including the parent AD group?