Claim rule to issue recursive group membership of a user

Question

Hello, we have a request to issue the group memberships of a set of groups if the user is member of them.

The only what i found so far is this tutorial, it works but we have a performance problem.

https://www.yasab.net/adfs-claim-rule-to-issue-recursive-group-membership-of-a-user/

Among other things, he used the filter LDAP_MATCHING_RULE_IN_CHAIN on the Rule 2. It takes more then 8 seconds to finish :S

Does anyone know if there is another solution or a tip to fix this.

p.s. To be honest im not very familiar with the ADFS custom claim rule language.

Answer 1

After a tip in another way, I was able to improve the query.

LDAP_MATCHING_RULE_IN_CHAIN can cause a heavy load and stress performance if the query itself is not optimized and not using indexes properly.

The example in the blog is an example of a such an expensive ldap query.
Cause it will walk over ALL AD objects whether it’s a group or a user or a contact or whetever else.
It sure will ensure the CPU of the DCs are running hot.

The Tip to put a few more complexity on the rule just the groups you need was a good example

Eg:

(&(objectclass=group)(&(|(cn=xyz_)(cn=aws-)(cn=abc_*))(member:1.2.840.113556.1.4.1941:={1})))

This would be a query looking only for the groups where the CN starts with xyz_ or aws- or abc_!

Answer 2

LDAP_MATCHING_RULE_IN_CHAIN doesn't scale in large environment. As a matter of fact, not only it takes a long time, but it also makes the domain controllers' CPU run pretty hot.

The list of groups the user is a member of is already listed in the GroupSid claim. It is in the ObjectSID format. You can pass it through as-is or transform it into a displayname (but using SID is usually better for security reason).