{"id":29422,"date":"2023-04-24T02:22:54","date_gmt":"2023-04-24T00:22:54","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=29422"},"modified":"2024-10-05T19:04:03","modified_gmt":"2024-10-05T17:04:03","slug":"active-directory-bug-in-ldap_matching_rule_in_chain-abfrage","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/04\/24\/active-directory-bug-in-ldap_matching_rule_in_chain-abfrage\/","title":{"rendered":"Active Directory: Bug in LDAP_MATCHING_RULE_IN_CHAIN-Abfrage?"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2023\/04\/24\/active-directory-bug-in-ldap_matching_rule_in_chain-abfrage\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]It seems that there is a bug in Active Directory (AD) regarding query capabilities via LDAP_MATCHING_RULE_IN_CHAIN. This is supposed to resolve recursive groups and find users who are members. A blog reader contacted me about this and described the bug, but could not do any additional verification because a second AD is missing for testing. I'll post it, maybe other administrators can confirm.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg07.met.vgwort.de\/na\/bebe8e8ca7b34665aa8c7e0a9b6a2adc\" alt=\"\" width=\"1\" height=\"1\" \/>Blog reader Marco Di Feo contacted me by mail on April 21, 2023 to inform me about the problem and wrote in this context:<\/p>\n<blockquote><p>Good day Mr. Born,<\/p>\n<p>as a big fan of your site I wanted to thank you for your excellent researched content. Time and time again we have found important and helpful information so quickly to solve problems in our environment.<\/p>\n<p>As a large company we have already found one or the other bug which we have escalated to Microsoft. Now we may have found another bug, but I can't verify it due to a missing additional AD and have already tipped off Microsoft.<\/p>\n<p>It is about the LDAP_MATCHING_RULE_IN_CHAIN query option which recursively resolves groups into groups and finds all users who are members.<\/p>\n<p>This works quite well, however it seems to have problems with users who once had a time based group membership. These show up in the result of the query as well, like normal users, although they should not be members of the group anymore.<\/p><\/blockquote>\n<p>Marco wrote about the problem in a detailed post in his blog post Active Directory time based group membership and LDAP_MATCHING_RULE_IN_CHAIN bug. The details of the bug can be found there. Marco wrote me about it:<\/p>\n<blockquote><p>I thought vllt would be interesting for you. I update the entry with the results of my case at Microsoft. I thought if this was really a bug, it would be helpful for others to know about it.<\/p>\n<p>Again, thank you very much for your involvement.<\/p><\/blockquote>\n<p>At this point my question to blog readers who administer AD environments, if they can verify and confirm Marco Di Feo's observations?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]It seems that there is a bug in Active Directory (AD) regarding query capabilities via LDAP_MATCHING_RULE_IN_CHAIN. This is supposed to resolve recursive groups and find users who are members. A blog reader contacted me about this and described the bug, &hellip; <a href=\"https:\/\/borncity.com\/win\/2023\/04\/24\/active-directory-bug-in-ldap_matching_rule_in_chain-abfrage\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,1547],"tags":[2795,47,159],"class_list":["post-29422","post","type-post","status-publish","format-standard","hentry","category-issue","category-software","tag-ad","tag-issue","tag-windows-server"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/29422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=29422"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/29422\/revisions"}],"predecessor-version":[{"id":35732,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/29422\/revisions\/35732"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=29422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=29422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=29422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}