AD tokenGroups

Arran Cudbard-Bell a.cudbardb at
Fri Oct 11 20:17:37 CEST 2013

On 11 Oct 2013, at 18:14, Phil Mayers <p.mayers at> wrote:

> All,
> I recently discovered that newer versions of AD have a magic attribute on user objects, visible via a BASE scope search on the user object, called tokenGroups.
> This attribute is a list of all the SIDs of all groups the user is a member of, including nested groups, and taking account of disabled groups:
> $ ldapsearch -h $DC -b 'CN=usern,OU=...' -s base tokenGroups|head -20
> dn: CN=usern,OU=...

> $ ldapsearch -h $DC -b $B -s sub objectSid=<ldap escaped tokenGroup val>
> dn: CN=Users,CN=Builtin,DC=ic,DC=ac,DC=uk
> cn: Users
> It strikes me that reading this (and translating SIDs to CN) might be a useful feature to have in the LDAP module - the SIDs are basically static so can be cached internally, so in the long run it's quick, and handles the nesting which is nice.
> It's plain LDAP, so no weird #defines needed.
> If people want I'll knock together a patch (as I have working local code from another application that I wrote that reads it). The idea would be an ldap config item like this:

This sounds useful.

I think you probably only need group.use_ad_tokengroup to enable/disable it. As this is another way of resolving a user to their group memberships (the objects are the same), you can re-use group.name_attribute.

For consistency, maybe organise it the same way as the current lookups with dynamic and cacheable functions?

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Devel mailing list