LDAP Query to find all groups with more than one parent

StackOverflow https://stackoverflow.com/questions/21637089

Question

Is there a way to construct an LDAP search string that would return all groups that have more than one parent group? I have searched and searched Google, and perhaps this can't be done, or perhaps I am just not looking for the right thing, but it seems like I should be able to do this.

What I am trying to solve: We have a batch application that maintains an organizational hierarchy of groups. In our hierarchy, a group can only have one parent "org" group. It have have any number of non-Org parent groups, just not Organizational unit groups. Orgs are identified by a CN that consists of 8 separate numbers withing a very specific range, lets say 1000 to 1001 for sake of argument, where 10000000 is the "Base" Org unit. An Org can only be a child of one other Org, but can have other parent groups that are not Org units.

The problem is that someone, in their infinite wisdom, has gone out and broke the cardinal rule that an Org group should have one and only one Org parent. Now I have to update the batch program to handle and correct it. But, first, I need to know how to find these.

My thought is something like this:

(&(objectClass=group)(count(members) > 2))

Where count is some aggregate function that returns the number of members a group might have. Or, maybe some way to return all groups that have more than one memberOf?

Was it helpful?

Solution

LDAP has no aggregate function to determine the number of members. Some LDAP implementations may have added features for aggregation, but AFIK, Microsoft Active Directory does not.

You could move you baseDN to a higher point to encompass all the possible OUs in which there are groups or even root. As you tagged the question as Microsoft Active Directory, you may then need to chase referrals.

I was not able to determine if Microsoft Active Directory supports extensible matching for DNs which would allow matching only within two or more containers. If Microsoft Active Directory does, then a filter similar to: (&(|(ou:dn:=groups)(ou:dn:=groups2))(objectclass=groups)) might work.

-jim

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top