How to get users of group (with nested) in OpenLDAP (UnboundID Java API)

Question

H everyone,

I am having a problem with getting all the users that are inside of one group. I have the group name, and my task is to get list of all users. I do not have enabled memberOf property in OpenLDAP server. So far I was able to get the group using:

 "(&(objectClass=groupOfNames)(cn=" + groupName + "))";

When I got this, I used the attribute member of found group e.g "cn=ldapuser1,ou=Users,dc=example,dc=com"

Then having this I did another query to get all users with given name (in the example above the name would be ldapuser1). I user this query:

"(&(objectClass=inetOrgPerson)(|" + builder + "))"; // it can contain several names

Problem is that if my main group contain another group... my second query would not work.

So what works for now is: (but is not that straightforward and easy) getting users of one single group (2 calls to the server are required - first to get group, and then based on member attribute I do second query that asks for specific users)

What does not work is e.g if one single group contain one user and one group that e.g. contains 2 users, in the final result with my current solution I got only one user. What I want is to have three users as a result in this example.

I have already working Active Directory user search and it is so simple - I use just memberOf with "1.2.840.113556.1.4.1941" filter for nested groups and their users. Why it can not be this simple with OpenLDAP?

So my final question is what is the best approach to implement this, how to build this kind of query ?

I would really like some advice from you guys,

any help would be appreciated!

many thanks,

cheers

Answer 1

Why it can not be this simple with OpenLDAP?

"1.2.840.113556.1.4.1941" (aka LDAP_MATCHING_RULE_IN_CHAIN) is an Extensible Match operator that walks the chain of ancestry in objects all the way to the root until it finds a match and is, as far as I know, only available with Microsoft Active Directory.

You could, of course, write code to evaluate each memberOf value returned to determine if it is a group and then transverse through each group.

A friend of mine once said "Complexity can neither be created or destroyed, but only moved around". Nested groups is one of those type of complexity issues. Do it on Client or server but it is still complex and resource intensive.

Nested groups is a compounding problem and even with Microsoft Active Directory using "1.2.840.113556.1.4.1941" will fail on large nests of groups and/or large numbers of members. I recommend Nested Groups be avoided.