[SOLVED] Active Directory search query for nested groups with wildcard pattern in search filter

Active Directory search query for nested groups with wildcard pattern in search filter

I am trying to allow the users from nested groups in Active Directory to login to my spring boot/security based application. I have figured how to provide the search query through spring-security configuration, but I am having trouble with the search query itself.

Here is the search query that is currently working as expected:

(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
  (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))

This is working as expected as user1 belongs to parent_group1 or one of its sub groups. But I have more than one parent_group, with constant prefix. So I am trying to provide wildcard in that query as CN=parent_group*, but its not working.

I have seen a variation here where each parent_group can be added with an OR like this:

(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
   (|(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
     (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group2,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
     (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group3,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)

And this works too. But the problem with this is, every time a new new parent group is added this needs to be updated. I have gone through the link specified in the answer to the above question, but nothing from there works.

Ideally, I was hoping something like this would work (wildcard pattern for parent_group):

(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
  (memberOf:1.2.840.113556.1.4.1941:=CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))

But its not working. It doesn't return any results. Can someone help me if there is a better way of doing this?

Also, is it possible not to mention the entire hierarchy like this? CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local

I have been researching on this for a couple of days now and gone through most of the articles provided online or on SO, but nothing with the wildcard pattern with the chain command works so far.

Solution

It is not possible to do what you describe. You'd be well served by having one parent group which all your "other" parent groups are nested in. Anytime a new parent group is created, you would nest it in your master group so that it's granted access. This is a pretty common model.