2 Replies Latest reply on May 14, 2007 12:17 PM by Cheese_Man

    CFLDAP: recursive group membership?

      Does anyone know of a way to have CFLDAP return ALL the groups a user is a member of? By default, it only returns direct group membership ... e.g. if John is a member of A and group C, and group C is a member of group B, then John should show up as a member of group A, B & C ... yet he will not, his memberOf attribute will only show membership for A and C where he is a direct member!

      Obviously, you could use CFLOOP etc to generate your own recursion, but that would be extremely inefficient in a large company such as ours (ie lots of groups and groups in groups).

      Another options I've read a little about is to use the "tokenGroups" attribute which can apparently be parsed into the SIDs of the different groups a user is a member of ... but I have been unable to get CFLDAP to return that attribute!!

      Any help much appreciated - thank you.
        • 1. Re: CFLDAP: recursive group membership?
          If you have this solution please share! I am stuck with the same problem.

          My goal is to see if a user is part of a securtiy group called DMS_Reset. The issue is the OU=Information Technology and OU=Public Works are members of the DMS_Reset_Group not users added just OUs.

          The OU=Information Technology will show as port of the memberOf but that doesnt help....

          • 2. Re: CFLDAP: recursive group membership?
            Cheese_Man Level 1
            I can't recall my exact solution but it was essentially a workaround rather than a solution. From what I could gather, this is an LDAP issue or a MSFT implementation of LDAP issue such that recursive membership is not an option when searching.

            I think what I did was store a lookup in SQL Server or something hoki like that! I know I considered replicating the group membership in SQL Server (where it would be easy to write a query to include recursion) but decided against it in the end.