nested groups (Active Directory style)?

[christian-korneck]

unless other LDAP servers, Active Directory supports nested groups and a way to query them using regular LDAP clients by entering special "OID" strings in the LDAP filter. I.e. an ldapsearch query like this against an Active Directory would return a list of users that are either directly members of the group testgroup or are member of a group that is nested into testgroup (directly or indirectly):

ldapsearch -h mydomaincontroller.mydomain.local -x -b "DC=mydomain,DC=local" -D "CN=myauthuser,OU=USERS,DC=mydomain,DC=local" -w mypassword "(&(objectCategory=user)(memberof:1.2.840.113556.1.4.1941:=CN=testgroup,OU=GROUPS,DC=mydomain,DC=local))"

Is it possible to somehow use such an LDAP filter in auth-ldap.cnf? I'm confused how the combination of RequireGroup, Group -> BaseDN, Group -> Search Filter and Group -> MemberAttribute lead to the actual LDAP query. Is there any setting where I could enter the memberof:1.2.840.113556.1.4.1941:=<groupname> string?

See here for the AD search syntax specs:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

Many thanks in advance.

[benley]

You can use that in a SearchFilter, something like:

<Authorization>
  BaseDN DC=mydomain,DC=local
  SearchFilter (&(objectCategory=user)(sAMAccountName=%u)(memberof:1.2.840.113556.1.4.1941:=CN=testgroup,OU=GROUPS,DC=mydomain,DC=local))
  RequireGroup false
</Authorization>

I believe you want RequireGroup false in this case since the searchfilter is already mandating membership in your target group.

[christian-korneck]

@benley Many thanks for the info. I will try and give feedback.