Nested AD Groups
-
I have a PHP application which uses the Open Source ADLDAP class to authenticate users against Active Directory and check their group memberships to assign particular levels of access within the system.
It's all worked nicely since September, until Tuesday of this week. I could still get into the application (I have a higher level of rights on the domain than your average user) but it was hanging and timing out during login for users. So I set about narrowing down the problem. Did taking the group check out allow users in? Yes. Had something screwed up the ability for the script to recursively check membership of nested groups? Nope. But it works for me and not for users? Yes.
So I call one of the top level domain admins and ask if his team have been tweaking, because it's looking like a permissions thing and users can't query their own group membership over LDAP any more. He assures me they haven't, but does a litle troubleshooting and checking of his own and draws a blank. I bodge the login routine to assign user rights in a different, less granular, way.
Eventually, 2 days later, on a whim I take a look at some of the groups the users are in. It turns out that for some crazy reason AD allows you to make a group a member of itself. And somebody (possibly a member of admin/secretarial staff administering a distribution list via Outlook) has managed to do just that with a group that most of the users of the system are members of, but I'm not. Which meant that the recursive group check function has got into an infinite loop, and floored the login process. Brillant!
-
@SteveB said:
It turns out that for some crazy reason AD allows you to make a group a member of itself.
Old, well-known one. This feature was introduced for no reason other than to break compatibility with all existing unix/ldap systems, which would otherwise have been able to interoperate seamlessly with windows domains. Took a couple of years for samba to come up with a compatibility layer for it.
