Active Directory user filter does not search nested groups

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く


問題

An Active Directory (AD) user object filter to pull in users from a specific group does not recursively search groups nested under the specified group, even though recursion is enabled. A filter like the following is used:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=TestGroup,ou=Groups,ou=CompanyUsers,dc=test,dc=corp))

原因

Crowd uses basic LDAP syntax rules for searching. By default, any searches with memberOf will only check direct attributes, so AD will only return information back to Crowd based on direct attribute checks.

To get a recursive search, or to have AD check relations, extra properties need to be included to the filter. In this case, the string 1.2.840.113556.1.4.1941 will need to be added. According to Microsoft:

The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).

For more information, see the following from Technet:

ソリューション 

  • Modify the above filter to include the extended match operator:

    (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=UserGroup,ou=Groups,ou=CompanyUsers,dc=test,dc=corp))

    Note: the group names in the above filter cannot be wildcards. If you need to specify multiple groups, you can configure them as follows:

    (&
(objectCategory=Person)(sAMAccountName=*)
    (|
        (memberOf:1.2.840.113556.1.4.1941:=cn=UserGroup1,ou=Groups,ou=CompanyUsers,dc=test,dc=corp)
        (memberOf:1.2.840.113556.1.4.1941:=cn=UserGroup2,ou=Groups,ou=CompanyUsers,dc=test,dc=corp)
        ....
    )
)

    注意

    This filter will only include the subgroups of UserGroup1,UserGroup2 and not the groups UserGroup1,UserGroup2 . Incase you also want to include the parent groups, then a parent group (parent-parent group) of UserGroup1,UserGroup2 needs to be created in the LDAP and a similar filter can be implemented for the parent-parent group



説明

The page discusses an Active Directory (AD) user object filter to pull in users from a specific group does not recursively search groups nested under the specified group, even though recursion is enabled.

製品Crowd
最終更新日 2023 年 4 月 17 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.