问题
I am trying to allow the users from nested groups in Active Directory to login to my spring boot/security based application. I have figured how to provide the search query through spring-security configuration, but I am having trouble with the search query itself.
Here is the search query that is currently working as expected:
(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))
This is working as expected as user1 belongs to parent_group1 or one of its sub groups. But I have more than one parent_group, with constant prefix. So I am trying to provide wildcard in that query as CN=parent_group*, but its not working.
I have seen a variation here where each parent_group can be added with an OR like this:
(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
(|(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group2,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group3,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
And this works too. But the problem with this is, every time a new new parent group is added this needs to be updated. I have gone through the link specified in the answer to the above question, but nothing from there works.
Ideally, I was hoping something like this would work (wildcard pattern for parent_group):
(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))
But its not working. It doesn't return any results. Can someone help me if there is a better way of doing this?
Also, is it possible not to mention the entire hierarchy like this?
CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local
I have been researching on this for a couple of days now and gone through most of the articles provided online or on SO, but nothing with the wildcard pattern with the chain command works so far.
回答1:
It is not possible to do what you describe. You'd be well served by having one parent group which all your "other" parent groups are nested in. Anytime a new parent group is created, you would nest it in your master group so that it's granted access. This is a pretty common model.
来源:https://stackoverflow.com/questions/51879457/active-directory-search-query-for-nested-groups-with-wildcard-pattern-in-search