Re: How to fetch all the groups for a user from Active Directory

[varun mittal <vmittal05 [at] gmail.com>]

Hi

Where do I set this in the nslcd.conf ?

On Tue, 12 Jan, 2021, 8:37 PM Mark Hack, <markhack [at] markhack.com> wrote:

See https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax

You need to use the LDAP_MATCHING_RULE_IN_CHAIN rule (OID 1.2.840.113556.1.4.1941 will cause nested searching on AD

EG

(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=x)

On Tue, 2021-01-12 at 20:25 +0530, varun mittal wrote:

Hi

Reposting this question, after holidays :)

On Wed, 9 Dec, 2020, 8:36 PM varun mittal, <vmittal05 [at] gmail.com> wrote:

Hi

I am using 'nss-pam-ldapd-0.9.8-1' on CentOS 7.2 and have been struggling to find the correct nslcd.conf configuration to fetch all the groups for an Active Directory user.

I tried "nss_nested_groups yes" option too, but the nested group memberships via the 'Primary Group' are still left out.

Eg.

username: test_user

Primary Group: 'Domain Users'

Secondary Group: 'FirstLevelGroup'

The 'Domain Users' group is a member of another group, say X. Similarly 'FirstLevelGroup' is also a member of another group, say Y

'id test_user' returns 'Domain Users', 'FirstLevelGroup', 'Y'

The group 'X' is left out.

If I change the Primary Group to point to 'FirstLevelGroup', then group 'X' is included but 'Y' is left out.