[German]It seems that there is a bug in Active Directory (AD) regarding query capabilities via LDAP_MATCHING_RULE_IN_CHAIN. This is supposed to resolve recursive groups and find users who are members. A blog reader contacted me about this and described the bug, but could not do any additional verification because a second AD is missing for testing. I'll post it, maybe other administrators can confirm.
Advertising
Blog reader Marco Di Feo contacted me by mail on April 21, 2023 to inform me about the problem and wrote in this context:
Good day Mr. Born,
as a big fan of your site I wanted to thank you for your excellent researched content. Time and time again we have found important and helpful information so quickly to solve problems in our environment.
As a large company we have already found one or the other bug which we have escalated to Microsoft. Now we may have found another bug, but I can't verify it due to a missing additional AD and have already tipped off Microsoft.
It is about the LDAP_MATCHING_RULE_IN_CHAIN query option which recursively resolves groups into groups and finds all users who are members.
This works quite well, however it seems to have problems with users who once had a time based group membership. These show up in the result of the query as well, like normal users, although they should not be members of the group anymore.
Marco wrote about the problem in a detailed post in his blog post Active Directory time based group membership and LDAP_MATCHING_RULE_IN_CHAIN bug. The details of the bug can be found there. Marco wrote me about it:
I thought vllt would be interesting for you. I update the entry with the results of my case at Microsoft. I thought if this was really a bug, it would be helpful for others to know about it.
Again, thank you very much for your involvement.
At this point my question to blog readers who administer AD environments, if they can verify and confirm Marco Di Feo's observations?
