AD tokenGroups

Phil Mayers p.mayers at
Fri Oct 11 19:14:36 CEST 2013


I recently discovered that newer versions of AD have a magic attribute 
on user objects, visible via a BASE scope search on the user object, 
called tokenGroups.

This attribute is a list of all the SIDs of all groups the user is a 
member of, including nested groups, and taking account of disabled groups:

$ ldapsearch -h $DC -b 'CN=usern,OU=...' -s base tokenGroups|head -20
dn: CN=usern,OU=...

$ ldapsearch -h $DC -b $B -s sub objectSid=<ldap escaped tokenGroup val>
dn: CN=Users,CN=Builtin,DC=ic,DC=ac,DC=uk
cn: Users

It strikes me that reading this (and translating SIDs to CN) might be a 
useful feature to have in the LDAP module - the SIDs are basically 
static so can be cached internally, so in the long run it's quick, and 
handles the nesting which is nice.

It's plain LDAP, so no weird #defines needed.

If people want I'll knock together a patch (as I have working local code 
from another application that I wrote that reads it). The idea would be 
an ldap config item like this:

ldap {

   # extract LDAP-Group values from AD magic tokenGroups
   # attribute once a user has been found - handles nested
   # and disabled groups
   ad_tokengroups = [no|yes]

   # which attribute of the group is the group "name"
   ad_tokengroup_name = "cn"


More information about the Freeradius-Devel mailing list