Query on finding the members inside a nested group inside Active Directory

Michael Ströder michael at stroeder.com
Fri Sep 5 11:22:31 CEST 2008

Alex Davies wrote:
> I am trying to query an AD Domain Controller for some information, and
> i'd like to do this without having to install the win32 and AD libraries
> for Python.

So you want to use python-ldap on Win32. Ok.

> I am using the following code to obtain a list of users inside a group
> (test). This works well, but i'd like to be able to add groups that
> contain users into the "test" group, and return them too.

In general with LDAP you have to deal with nested groups at the client side.

Especially with AD explictly requesting the attribute tokenGroups on a
user's entry could be an option since AD then computes all the groups a
user is member of including nested groups. Note that the attribute
values are not DNs. See description here:


> searchFilter = "(memberOf=CN=test,OU=Machines,OU=Linux
> Auth,DC=xxx,DC=local)"

I'm not sure whether memberOf only indicates the directory group membership.

>   ldap_result_id = l.search(baseDN, searchScope, searchFilter,
> retrieveAttributes)

I'd recommend to use the synchronous method l.search_s() first to avoid
programming errors. This is handy when you don't expect large result sets.

If you want to do stream processing of large result sets ldap.resiter is
more handy.

Ciao, Michael.

More information about the python-ldap mailing list