pythonpython-3.xldapldap3

Can't use Python ldap3 to get recursive users of an LDAP group


I am using Python3 ldap3 library to query my entreprise's LDAP (AD).

Querying groups and group members works fine, excepted when I try to use extensible matching rule "LDAP_MATCHING_RULE_IN_CHAIN" (1.2.840.113556.1.4.1941) for recursive groups members querying.

Doing so gets me the following error everytime:

 ldap3.core.exceptions.LDAPAttributeError: invalid attribute ExtensibleMatch:
 matchingRule

Here is the code I am using:

import ldap3
s = ldap3.Server(host="<ldapServerAddress>", port=636, use_ssl=True, get_info=ldap3.ALL)
c = ldap3.Connection(s, user='<user>', password='<password>', client_strategy="SYNC", read_only=True)
c.bind()
base = '<baseDC>'

# Get "MYGROUP" distinguished name
c.search(search_base=base, search_filter="(sAMAccountName=MYGROUP)", attributes=["distinguishedName"])
dj_son = json.loads(c.response_to_json())
distinguished_name = dj_son["entries"][0]["attributes"]["distinguishedName"]

# Works fine
c.search(base, '(&(objectclass=user)(memberOf={}))'.format(distinguished_name), attributes=["sAMAccountName"])

# Raises an error "LDAPAttributeError: invalid attribute ExtensibleMatch: matchingRule"
c.search(base, '(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:={}))'.format(distinguished_name), attributes=["sAMAccountName"])

Can you guys spot any error?

Thanks for your help :-)


Solution

  • Finally found the source of the problem:

    When using the extensive matching rule LDAP_MATCHING_RULE_IN_CHAIN, the LDAP server address must match the search base (no subdomain).

    I was actually searching for an object in "subdomain.domain.com" and the LDAP server was set to "domain.com".

    To make it work: