How do I work with nested groups (AD) in EasyAccess

Last modified on 21 Jan, 2021. Revision 2
This article will show how to construct a search string for nested group membership in EasyAccess against Microsoft AD.
Up to date for
EasyAccess 3.2.0
Status OK



Configuring the LDAPSearchValve

In this example we will have the following AD structure. Two groups “group1” and group2 where group2 is a member of group1. User Stev is member of group2. And we want to limit the login to users who only belongs to group1. The normal way of doing this witout nested groups would be to have the following LDAP Filter:

(&(samAccountName=)(memberof=cn=group1,CN=users,DC=bestdomain,DC=ever))

But the problem is that this will only look at member in group1 where Stev is not a member. So this will fail. On order to search recursively we need to have the following LDAP Filter:

(&(samAccountName=)(memberof:1.2.840.113556.1.4.1941:=cn=group1,CN=users,DC=bestdomain,DC=ever))

Where 1.2.840.113556.1.4.1941 is the OID for LDAP_MATCHING_RULE_IN_CHAIN and LDAP_MATCHING_RULE_TRANSITIVE_EVAL


Another Scenario could be that you want to limit login to two groups that are a member of another group but there is also a third group that you don’t want to give access. So for example Stev is member of group1, Bob is member group2, badguy is member of group3 and group1, group2 and group3 is member of group4. We don’t want group3 to gain access. Here we can do the search on group4 since there are groups we don’t want to allow access. Here is how you solve that:


(&(sAMAccountName=)( (memberOf=CN=group1,CN=users,DC=bestdomain,DC=ever)(memberOf=CN=group2,CN=users,DC=bestdomain,DC=ever)))

Related articles

Sending EasyAccess logs to InCenter or a Syslog server
4 May, 2021 easyaccess incenter syslog
How to configure passwordless OneTouch authentication
24 Feb, 2021 easyaccess radius saml sso onetouch



Tags easyaccess