In Windows Server 2003 Service Pack 2 and Windows Server 2007 Microsoft have added a new LDAP query matching rule for linked-value DN syntax attributes, currently known as a recursive query. The idea behind such a query is that it simplifies chasing nested links. The matching rule is implemented by using the OID of the matching rule, enclosed within a starting and ending colon, just like bitwise AND and OR matching rules are implemented. This means that a recursive query takes the format of:
:1.2.840.113556.1.4.1941:=
For example, to use a recursive query to ascertain whether or not a user is a member of a group, you would use the following syntax:
(member:1.2.840.113556.1.4.1941:=cn=administrator, cn=users, dc=test-lab, dc=com)
Note. Spaces have been used within the DN for readability purposes. That query is a single line.
What are the benefits of this?
This is best explained with an example. Consider the following scenario.
Suppose you have a global group that is a member of a domain local group and the domain local group is used to grant access to some securable object. User objects are direct members of the global group, as well as members of another global group nested into the first global group.
You need to find out what user (and inetOrgPerson) objects have access to the secured object in question. Normally you would have to query the member attribute of the domain local group and then query the member attribute of each global group that is a member of that group, and any groups that are a member of that group, and so on. A recursive query does this for you, so to get a list of all members of the domain local group whether direct or indirect (nested) you would run the following query against a suitable base container, e.g. the parent container of your user objects or, as in this case, the parent of the parent:
(&(objectCategory=person)(objectClass=user)(memberOf: 1.2.840.113556.1.4.1941:=cn=dlg01, ou=groups, dc=domain-name, dc=com))
Running the query via LDP
***Searching...
ldap_search_s(ld, "OU=South,OU=People,DC=longhorn,DC=com", 2, "(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=Domain Local 01,ou=groups,dc=longhorn,dc=com))", attrList, 0, &msg)
Getting 3 entries:
Dn: CN=Homer Simpson,OU=South,OU=People,DC=longhorn,DC=com
canonicalName: longhorn.com/People/South/Homer Simpson;
memberOf: CN=Global 02,OU=Groups,DC=longhorn,DC=com;
name: Homer Simpson;
objectClass (5): top; person; organizationalPerson; user; inetOrgPerson;
Dn: CN=Dirk Pitt,OU=South,OU=People,DC=longhorn,DC=com
canonicalName: longhorn.com/People/South/Dirk Pitt;
memberOf: CN=Universal 02,OU=Groups,DC=longhorn,DC=com;
name: Dirk Pitt;
objectClass (5): top; person; organizationalPerson; user; inetOrgPerson;
Dn: CN=James Bond,OU=South,OU=People,DC=longhorn,DC=com
canonicalName: longhorn.com/People/South/James Bond;
memberOf: CN=Universal 02,OU=Groups,DC=longhorn,DC=com;
name: James Bond;
objectClass (5): top; person; organizationalPerson; user; inetOrgPerson;
Note. Recursive queries aren't limited to groups. They work on any linked-value DN syntax attribute. The member/ memberOf linked-value pair is simply one of the most familiar and therefore easier to relate to.
Limitations
Recursive queries are only performed within the local Directory Information Table (DIT) of the domain controller performing the query.
Document information
Author: Paul Williams
Version: 1.0.0
Written: 05-10-2006
Last updated: 05-10-2006
Last updated by: Paul Williams |
Articles 
