Nested LDAP groups in Active Directory

Hi all,
as stated in the topic title, this is actually not a privacyIDEA specific topic but rather kind of a problem with LDAP queries to Active Directory - maybe someone can give me a slight push in the right direction.

I’d like to assign policies to specific users based on their group membership in Active Directory.

Using a filter like
in the respective LDAP resolver I get a list of all matching users - with all groups they are direct members of as memberOf attributes. Unfortunately our Active Directory heavily relies on nested groups so that I only get a fraction of the groups of which the user is a nested member.

Is there a possibility to solve this problem and if so, how could it be done?

With kind regards

You are right. Searching nested group is not an issue with privacyIDEA but with the correct search statement

Use the OID 1.2.840.113556.1.4.1941.

See me, referencing Microsoft documents buahh

NB: You should not use nested groups, since this can be very time consuming and slow.

Thanks for this hint. I already know LDAP_MATCHING_RULE_IN_CHAIN, but I don’t have any clue how to use it in my current situation.

As far as I know LDAP_MATCHING_RULE_IN_CHAIN is used to return all members of a given group (in a filter like (memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x)) or all groups of a given user (as in (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)), but I need to get all users with all groups for usage in a LDAP user resolver.

privacyIDEA only fetches a user object.
Or multiple user objects.

It does this with all its attributes.
So it can fetch all entries of “memberOf” - all entries that are returned by the LDAP server.

But to get all groups a user is member of through nesting privacyIDEA needs to use LDAP_MATCHING_RULE_IN_CHAIN in fetching the user object. Is there any way to make it behave that way?

I think this is not possible, since the matching rule OID 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN can only be used in the match filter but not in the return value.
privacyIDEA does not actively modify or enhance the return value (aka objects or attributes), returned by the LDAP server.