CFLDAP: recursive group membership?

Report · Jun 14, 2006

Does anyone know of a way to have CFLDAP return ALL the groups a user is a member of? By default, it only returns direct group membership ... e.g. if John is a member of A and group C, and group C is a member of group B, then John should show up as a member of group A, B & C ... yet he will not, his memberOf attribute will only show membership for A and C where he is a direct member!

Obviously, you could use CFLOOP etc to generate your own recursion, but that would be extremely inefficient in a large company such as ours (ie lots of groups and groups in groups).

Another options I've read a little about is to use the "tokenGroups" attribute which can apparently be parsed into the SIDs of the different groups a user is a member of ... but I have been unable to get CFLDAP to return that attribute!!

Any help much appreciated - thank you.

Report · May 11, 2007

If you have this solution please share! I am stuck with the same problem.

My goal is to see if a user is part of a securtiy group called DMS_Reset. The issue is the OU=Information Technology and OU=Public Works are members of the DMS_Reset_Group not users added just OUs.

The OU=Information Technology will show as port of the memberOf but that doesnt help....

thanks

Report · May 14, 2007

I can't recall my exact solution but it was essentially a workaround rather than a solution. From what I could gather, this is an LDAP issue or a MSFT implementation of LDAP issue such that recursive membership is not an option when searching.

I think what I did was store a lookup in SQL Server or something hoki like that! I know I considered replicating the group membership in SQL Server (where it would be easy to write a query to include recursion) but decided against it in the end.

Adobe Community

CFLDAP: recursive group membership?