LDAP nested search for Microsoft Active Directory does not work correctly
SCIM LDAP Nested search for Microsoft Active Directory is not working properly.
Symptoms
Not all users that match the search query are returned in the search result.
Run these queries to verify whether the nested search is returning correct results.
LDAP queries
-
Run an LDAP query to search all nested users that belong to a group:
memberOf:1.2.840.113556.1.4.1941:=<group dn>
.-
Use the following syntax:
ldapsearch -x -H ldap://ip:389 -b <LDAP_BASEDN> -D <LDAP_BINDDN> -w <LDAP_BINDPASSWORD> -s sub "(&(memberOf:1.2.840.113556.1.4.1941:=<group dn>)(objectcategory=user))"
-
Following is a sample output:
ldapsearch -x -H ldap://1.2.3.4:389 -b dc=ibm,dc=com -D cn=root -w password -s sub "(&(memberOf:1.2.840.113556.1.4.1941:=cn=Icpgroup1,cn=platform,ou=cloud,ou=isl,ou=groups,dc=ibm,dc=com)(objectcategory=user))"
-
-
Run an LDAP query to search all nested groups that a user belongs to:
(member:1.2.840.113556.1.4.1941:<user dn>)
.-
Use the following syntax:
ldapsearch -x -H ldap://ip:389 -b <LDAP_BASEDN> -D <LDAP_BINDDN> -w <LDAP_BINDPASSWORD> -s sub "(&(member:1.2.840.113556.1.4.1941:<user dn>)(objectcategory=group))"
-
Here is a sample output:
ldapsearch -x -H ldap://1.2.3.4:389 -b dc=ibm,dc=com -D cn=root -w password -s sub "(&(member:1.2.840.113556.1.4.1941:uid=icpuser1,ou=people,dc=ibm,dc=com)(objectcategory=group))"
-
SCIM queries
-
Run a SCIM query to get all nested users that belong to a group.
-
Use the following API:
curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Accept: application/json" "$BCS_URL/idmgmt/identity/api/v1/scim/groups/$GROUP_ID" | jq -r '.members'
-
See the following example result:
curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Accept: application/json" "$BCS_URL/idmgmt/identity/api/v1/scim/groups/cn=Icpgroup1,cn=platform,ou=cloud,ou=isl,ou=groups,dc=ibm,dc=com" | jq -r '.members'
-
-
Run a SCIM query to get all nested groups that a user belongs to.
-
Use the following API:
curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Accept: application/json" "$BCS_URL/idmgmt/identity/api/v1/scim/users/$USER_ID" | jq -r '.groups'
-
See the following example result:
curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Accept: application/json" "$BCS_URL/idmgmt/identity/api/v1/scim/groups/uid=icpuser1,ou=people,dc=ibm,dc=com" | jq -r '.groups'
-
Cause
Your LDAP directory setup might have problems, or your SCIM configuration might be wrong.
Resolving the problem
For LDAP query issues, check you LDAP directory data setup.
For SCIM query issues, see the available troubleshooting documents.