Cloudera Docs

Nested LDAP Group Resolution

An LDAP group can include both regular users and pointers to other groups. If a group (group A) is a member of another group (group B), then the users belonging to the member, or nested group (group A), are part of the parent group (group B) as well. Nesting can be very useful when delegating access through inheritance. Many large enterprises have their groups in LDAP/AD nested within other groups.

Resolving nested group memberships for an LDAP user can pose a challenge, as most LDAP servers by default do not match nested groups on the server side. Instead, LDAP client applications are expected to perform multiple searches, iterating through the group's member list until all members are found, or the search has reached a configured depth limit. Microsoft Active Directory LDAP is an exception, and returns nested group members when the search request includes the proper extended match operator.

Ranger Usersync supports nested group lookups for both Active Directory and generic LDAPv3 servers (OpenLDAP, freeIPA, and so on). For more information, see Configuring nested group hierarchies. For other Cloudera services, nested group lookups are typically possible only with Active Directory, with some limitations.
Active Directory LDAP_MATCHING_RULE_IN_CHAIN
By default, Microsoft Active Directory supports the LDAP_MATCHING_RULE_IN_CHAIN extended match operator for memberOf and member attributes (in User and Group objects, respectively), with OID 1.2.840.113556.1.4.1941. This operation can be requested by including the OID in the search filter.
User Search
Include LDAP_MATCHING_RULE_IN_CHAIN extension for memberOf attribute in a User Search Filter (for LDAP authentication). Match only those users who are members of a specific group (i.e. group B):
"(&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=groupB,ou=Groups,DC=Example,DC=COM))"

This form, when used in a User Search Filter, only allows members of group B, including nested group A members to authenticate.

Group Search
Include LDAP_MATCHING_RULE_IN_CHAIN extension for member attribute in a Group Search Filter (for LDAP authorization), to retrieve all groups a user is a member of, including nested groups.
"(&(objectCategory=Group)(member:1.2.840.113556.1.4.1941:={0}))"

This form may be used with services that support the user DN variable token "{0}" (for example, Cloudera Manager) in the LDAP Group Search Filter. If the user is a member of group A, then the group list returned includes both group A and group B.