get AD group membership doesn't work for global groups
I want to pull the group membership for OBIEE directly from AD.
This has been covered in many blogs and forums, no problem, I've found some user created functions - basically all of it uses
DBMS_LDAP package methods
with one exception that additionally to it also uses
DBMS_LDAP_UTL.get_group_membership
ALL THOSE functions work BUT I've verified it with the actual group membership from AD or adfind tool (http://www.joeware.net/freetools/tools/adfind/index.htm)
The list returned by Oracle packages doesn't match, or to be exact only partially matches the factual AD list.
I've done some research and found there are three types used for defining group's scope by AD:
Domain Local, Global, or Universal
(http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx)
leaving the first one out of the scope as we don't use it
- I've verified and found ALL missing ONES are defined as GLOBAL
All the Oracle funcitons I've found correctly pulls only UNIVERSAL group memberships and none of GLOBAL
Microsoft documentation says that both of them (Universal and Global) have forest-wide visibility....
and so AdFind can list both..
so why Oracle limits the search to UNIVERSAL ones only?
Maybe it's a matter of initialize those DBMS_LDAP packages differently or passing slightly different parameters??
I've really tried a lot of this code in different combinations but no joy
Has anyone got some ideas?