NetXMS Support Forum

Would you please consider adding in nested group membership support for the LDAP Sync feature for Active Directory users?

AD supports Rule OID 1.2.840.113556.1.4.1941 (LDAP_MATCHING_RULE_IN_CHAIN) which is a special extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match (Requires DN).

We use it for our LdapSearchFilter already for importing users in nested groups, eg:
(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=ACL-NetXMS-Users,OU=ACL,DC=example,DC=local))

-but, of course, this filter alone does't help when it comes to user membership of imported groups. Maybe it could be configured as a flag in Server Configuration that changes the group membership behaviour? I think LDAPConnection::updateMembers is responsible and would need to be changed?

Currently NetXMS supports "Nested Group" functionality, so I'll just add the same for LDAP sync.

Fixed issue in nested group sync, mostly it was working before my change.
Read again your request. We advice you so sync all intermediate groups. I have not found easy way to get all groups also nested in response under "member" attribute. Otherwise it is too big change.