ldap_fluff 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba638e83446c1328ec6d7880ccf1528f1a42db4dab9a8884bbd4c8974512632c
-  data.tar.gz: 69c6c3752b330047a953b9e8c4a2c7441f39edb28bccaef32b49fef56b0d21c4
+  metadata.gz: 80bbd37fc8123c1481d81117015acae3ba22aaaf95c6d87ef064c124c7f8f6f0
+  data.tar.gz: '0899615a301cc6569a3e036b136f27c73a68accf270aa4842b2bf17164bcf2ac'
 SHA512:
-  metadata.gz: b108ae2845030a2e3ea119716b11e7023cd52f4afad32cc48945c8d455a3cf3608755b82bb583373892a6ba0255b030a3750d9f367840e4912860d93e1f8e900
-  data.tar.gz: 315aebba32f13f1f8a62c4f7ce7dd5f49c395fc4950e197029c7818a43eb94fd8ec04c8cb7626c717db4fcb60b1dd61ff8d2d87332140a3c2ecf7a081b7ec682
+  metadata.gz: c288887b87abb0136d093d61924ddb646234135509cd95bccb4a29c2df149a19855e81eec321cfa3b69a34aeb95934e60c158d088b8a348e7c67d4fb10909334
+  data.tar.gz: 3ba66326d622afcfa64a15adc8ff87398726d38d775ed46c35ebe5e3b4026c3d01731ffcb8768af01ea5cf5ada903a8c5d246816b99fcfc4e7545a29f409fc79

data/README.rdoc

@@ -83,6 +83,8 @@ ldap_fluff does not support searching/binding global catalogs
 
 service_user (formatted as "ad_domain/username") and service_pass OR anon_queries are required for AD support
 
+Group membership searches will use "msds-memberOfTransitive" where possible, and will fall back to a recursive lookup
+
 === A note on FreeIPA
 
 ldap_fluff appends cn=groups,cn=accounts to the beginning of all BIND calls. You do not need to
@@ -99,6 +101,10 @@ ActiveSupport::Notifications.  ldap_fluff will use this and also pass it to net-
 When using Rails, pass `:instrumentation_service => ActiveSupport::Notifications` and then subscribe to, and
 optionally log events (e.g. https://gist.github.com/mnutt/566725).
 
-=== License
+== Contributing
+
+Feel free to file PR against our github repository.
+
+== License
 
 ldap_fluff is licensed under the GPLv2. Please read LICENSE for more information.

data/lib/ldap_fluff/active_directory.rb

@@ -1,10 +1,9 @@
 class LdapFluff::ActiveDirectory < LdapFluff::Generic
-
   def bind?(uid = nil, password = nil, opts = {})
     unless uid.include?(',') || uid.include?('\\') || opts[:search] == false
       service_bind
       user = @member_service.find_user(uid)
-      uid = user.first.dn if user && user.first
+      uid = user.first.dn if user&.first
     end
     @ldap.auth(uid, password)
     @ldap.bind
@@ -18,9 +17,9 @@ class LdapFluff::ActiveDirectory < LdapFluff::Generic
     begin
       groups       = @member_service.find_user_groups(uid)
       intersection = gids & groups
-      return (all ? intersection == gids : intersection.size > 0)
+      (all ? intersection == gids : intersection.size > 0)
     rescue MemberService::UIDNotFoundException
-      return false
+      false
     end
   end
 
@@ -37,14 +36,13 @@ class LdapFluff::ActiveDirectory < LdapFluff::Generic
       end
       objectclasses = entry.objectclass.map(&:downcase)
 
-      if (%w(organizationalperson person userproxy) & objectclasses).present?
+      if (%w[organizationalperson person userproxy] & objectclasses).present?
         users << @member_service.get_login_from_entry(entry)
-      elsif (%w(organizationalunit group) & objectclasses).present?
+      elsif (%w[organizationalunit group] & objectclasses).present?
         users << users_for_gid(entry.cn.first)
       end
     end
 
     users.flatten.uniq
   end
-
 end

data/lib/ldap_fluff/ad_member_service.rb

@@ -2,26 +2,49 @@ require 'net/ldap'
 
 # Naughty bits of active directory ldap queries
 class LdapFluff::ActiveDirectory::MemberService < LdapFluff::GenericMemberService
-
   def initialize(ldap, config)
     @attr_login = (config.attr_login || 'samaccountname')
     super
   end
 
   # get a list [] of ldap groups for a given user
-  # in active directory, this means a recursive lookup
+  # try to use msds-memberOfTransitive if it is supported, otherwise do a recursive loop
   def find_user_groups(uid)
-    data = find_user(uid)
-    _groups_from_ldap_data(data.first)
+    user_data = find_user(uid).first
+
+    if _get_domain_func_level >= 6
+      user_dn = user_data[:distinguishedname].first
+      search = @ldap.search(:base => user_dn, :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['msds-memberOfTransitive'])
+      if !search.nil? && !search.first.nil?
+        return get_groups(search.first['msds-memberoftransitive'])
+      end
+    end
+
+    # Fall back to recursive lookup
+    _groups_from_ldap_data(user_data)
+  end
+
+  # return the domain functionality level, default to 0
+  def _get_domain_func_level
+    return @domain_functionality if defined?(@domain_functionality)
+
+    @domain_functionality = 0
+
+    search = @ldap.search(:base => "", :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['domainFunctionality'])
+    if !search.nil? && !search.first.nil?
+      @domain_functionality = search.first[:domainfunctionality].first.to_i
+    end
+
+    @domain_functionality
   end
 
   # return the :memberof attrs + parents, recursively
   def _groups_from_ldap_data(payload)
     data = []
-    if !payload.nil?
-      first_level     = payload[:memberof]
-      total_groups, _ = _walk_group_ancestry(first_level, first_level)
-      data            = (get_groups(first_level + total_groups)).uniq
+    unless payload.nil?
+      first_level = payload[:memberof]
+      total_groups, = _walk_group_ancestry(first_level, first_level)
+      data = get_groups(first_level + total_groups).uniq
     end
     data
   end
@@ -31,14 +54,13 @@ class LdapFluff::ActiveDirectory::MemberService < LdapFluff::GenericMemberServic
     set = []
     group_dns.each do |group_dn|
       search = @ldap.search(:base => group_dn, :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['memberof'])
-      if !search.nil? && !search.first.nil?
-        groups                       = search.first[:memberof] - known_groups
-        known_groups                += groups
-        next_level, new_known_groups = _walk_group_ancestry(groups, known_groups)
-        set                         += next_level
-        set                         += groups
-        known_groups                += next_level
-      end
+      next unless !search.nil? && !search.first.nil?
+      groups = search.first[:memberof] - known_groups
+      known_groups                += groups
+      next_level, _new_known_groups = _walk_group_ancestry(groups, known_groups)
+      set                         += next_level
+      set                         += groups
+      known_groups                += next_level
     end
     [set, known_groups]
   end

data/lib/ldap_fluff/config.rb

@@ -3,8 +3,8 @@ require 'active_support/core_ext/hash'
 
 class LdapFluff::Config
   ATTRIBUTES = %w[host port encryption base_dn group_base server_type service_user
-                    service_pass anon_queries attr_login search_filter
-                    instrumentation_service use_netgroups]
+                  service_pass anon_queries attr_login search_filter
+                  instrumentation_service use_netgroups].freeze
   ATTRIBUTES.each { |attr| attr_reader attr.to_sym }
 
   DEFAULT_CONFIG = { 'port' => 389,
@@ -14,7 +14,7 @@ class LdapFluff::Config
                      'server_type' => :free_ipa,
                      'anon_queries' => false,
                      'instrumentation_service' => nil,
-                     'use_netgroups' => false }
+                     'use_netgroups' => false }.freeze
 
   def initialize(config)
     raise ArgumentError unless config.respond_to?(:to_hash)
@@ -65,9 +65,9 @@ class LdapFluff::Config
   end
 
   def correct_server_type?(config)
-    unless [:posix, :active_directory, :free_ipa].include?(config['server_type'])
-      raise ConfigError, 'config key server_type has to be :active_directory, :posix, :free_ipa ' +
-        "but was #{config['server_type']}"
+    unless %i[posix active_directory free_ipa netiq].include?(config['server_type'])
+      raise ConfigError, 'config key server_type has to be :active_directory, :posix, :free_ipa, :netiq ' +
+                         "but was #{config['server_type']}"
     end
   end
 

data/lib/ldap_fluff/error.rb

@@ -2,4 +2,3 @@ class LdapFluff
   class Error < StandardError
   end
 end
-

data/lib/ldap_fluff/freeipa.rb

@@ -1,23 +1,20 @@
 class LdapFluff::FreeIPA < LdapFluff::Generic
-
   def bind?(uid = nil, password = nil, opts = {})
     unless uid.include?(',')
       unless opts[:search] == false
         service_bind
         user = @member_service.find_user(uid)
       end
-      uid = user && user.first ? user.first.dn : "uid=#{uid},cn=users,cn=accounts,#{@base}"
+      uid = user&.first ? user.first.dn : "uid=#{uid},cn=users,cn=accounts,#{@base}"
     end
     @ldap.auth(uid, password)
     @ldap.bind
   end
 
   def groups_for_uid(uid)
-    begin
-      super
-    rescue MemberService::InsufficientQueryPrivilegesException
-      raise UnauthenticatedException, "Insufficient Privileges to query groups data"
-    end
+    super
+  rescue MemberService::InsufficientQueryPrivilegesException
+    raise UnauthenticatedException, "Insufficient Privileges to query groups data"
   end
 
   private

data/lib/ldap_fluff/freeipa_member_service.rb

@@ -1,7 +1,6 @@
 require 'net/ldap'
 
 class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
-
   def initialize(ldap, config)
     @attr_login = (config.attr_login || 'uid')
     super
@@ -23,7 +22,7 @@ class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
   # CN=bros,OU=bropeeps,DC=jomara,DC=redhat,DC=com
   def get_groups(grouplist)
     grouplist.map(&:downcase).collect do |g|
-      if g.match(/.*?ipauniqueid=(.*?)/)
+      if /.*?ipauniqueid=(.*?)/.match?(g)
         @ldap.search(:base => g)[0][:cn][0]
       else
         g.sub(/.*?cn=(.*?),.*/, '\1')
@@ -39,6 +38,4 @@ class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
 
   class InsufficientQueryPrivilegesException < LdapFluff::Error
   end
-
 end
-

data/lib/ldap_fluff/freeipa_netgroup_member_service.rb

@@ -1,7 +1,6 @@
 require 'net/ldap'
 
 class LdapFluff::FreeIPA::NetgroupMemberService < LdapFluff::FreeIPA::MemberService
-
   def find_user_groups(uid)
     groups = []
     @ldap.search(:filter => Net::LDAP::Filter.eq('objectClass', 'nisNetgroup'), :base => @group_base).each do |entry|
@@ -11,4 +10,3 @@ class LdapFluff::FreeIPA::NetgroupMemberService < LdapFluff::FreeIPA::MemberServ
     groups
   end
 end
-

data/lib/ldap_fluff/generic.rb

@@ -7,9 +7,9 @@ class LdapFluff::Generic
                           :port => config.port,
                           :encryption => config.encryption,
                           :instrumentation_service => config.instrumentation_service)
-    @bind_user  = config.service_user
-    @bind_pass  = config.service_pass
-    @anon       = config.anon_queries
+    @bind_user = config.service_user
+    @bind_pass = config.service_pass
+    @anon = config.anon_queries
     @attr_login = config.attr_login
     @base       = config.base_dn
     @group_base = (config.group_base.empty? ? config.base_dn : config.group_base)
@@ -37,7 +37,7 @@ class LdapFluff::Generic
     service_bind
     @member_service.find_user_groups(uid)
   rescue self.class::MemberService::UIDNotFoundException
-    return []
+    []
   end
 
   def users_for_gid(gid)
@@ -60,9 +60,9 @@ class LdapFluff::Generic
     groups = @member_service.find_user_groups(uid).sort
     gids = gids.sort
     if all
-      return groups & gids == gids
+      groups & gids == gids
     else
-      return (groups & gids).any?
+      (groups & gids).any?
     end
   end
 
@@ -74,16 +74,17 @@ class LdapFluff::Generic
   def service_bind
     unless @anon || bind?(@bind_user, @bind_pass, :search => false)
       raise UnauthenticatedException,
-            "Could not bind to #{class_name} user #{@bind_user}"
+        "Could not bind to #{class_name} user #{@bind_user}"
     end
   end
 
   private
+
   def select_member_method(search_result)
     if @use_netgroups
       :nisnetgrouptriple
     else
-      [:member, :memberuid, :uniquemember].find { |m| search_result.respond_to? m }
+      %i[member memberuid uniquemember].find { |m| search_result.respond_to? m }
     end
   end
 
@@ -114,4 +115,3 @@ class LdapFluff::Generic
   class UnauthenticatedException < LdapFluff::Error
   end
 end
-

data/lib/ldap_fluff/generic_member_service.rb

@@ -1,7 +1,6 @@
 require 'net/ldap'
 
 class LdapFluff::GenericMemberService
-
   attr_accessor :ldap
 
   def initialize(ldap, config)
@@ -11,8 +10,8 @@ class LdapFluff::GenericMemberService
     @search_filter = nil
     begin
       @search_filter = Net::LDAP::Filter.construct(config.search_filter) unless (config.search_filter.nil? || config.search_filter.empty?)
-    rescue Net::LDAP::Error => error
-      puts "Search filter unavailable - #{error}"
+    rescue Net::LDAP::Error => e
+      puts "Search filter unavailable - #{e}"
     end
   end
 
@@ -81,5 +80,4 @@ class LdapFluff::GenericMemberService
     end
     nil
   end
-
 end

data/lib/ldap_fluff/ldap_fluff.rb

@@ -13,6 +13,8 @@ class LdapFluff
       @ldap = ActiveDirectory.new(config)
     when :free_ipa
       @ldap = FreeIPA.new(config)
+    when :netiq
+      @ldap = NetIQ.new(config)
     else
       raise 'unknown server_type'
     end
@@ -20,7 +22,7 @@ class LdapFluff
   end
 
   def authenticate?(uid, password)
-    instrument('authenticate.ldap_fluff', :uid => uid) do |payload|
+    instrument('authenticate.ldap_fluff', :uid => uid) do |_payload|
       if password.nil? || password.empty?
         false
       else
@@ -30,21 +32,21 @@ class LdapFluff
   end
 
   def test
-    instrument('test.ldap_fluff') do |payload|
+    instrument('test.ldap_fluff') do |_payload|
       @ldap.ldap.open {}
     end
   end
 
   # return a list[] of users for a given gid
   def user_list(gid)
-    instrument('user_list.ldap_fluff', :gid => gid) do |payload|
+    instrument('user_list.ldap_fluff', :gid => gid) do |_payload|
       @ldap.users_for_gid(gid)
     end
   end
 
   # return a list[] of groups for a given uid
   def group_list(uid)
-    instrument('group_list.ldap_fluff', :uid => uid) do |payload|
+    instrument('group_list.ldap_fluff', :uid => uid) do |_payload|
       @ldap.groups_for_uid(uid)
     end
   end
@@ -52,35 +54,35 @@ class LdapFluff
   # return true if a user is in all of the groups
   # in grouplist
   def is_in_groups?(uid, grouplist)
-    instrument('is_in_groups?.ldap_fluff', :uid => uid, :grouplist => grouplist) do |payload|
+    instrument('is_in_groups?.ldap_fluff', :uid => uid, :grouplist => grouplist) do |_payload|
       @ldap.is_in_groups(uid, grouplist, true)
     end
   end
 
   # return true if uid exists
   def valid_user?(uid)
-    instrument('valid_user?.ldap_fluff', :uid => uid) do |payload|
+    instrument('valid_user?.ldap_fluff', :uid => uid) do |_payload|
       @ldap.user_exists? uid
     end
   end
 
   # return true if group exists
   def valid_group?(gid)
-    instrument('valid_group?.ldap_fluff', :gid => gid) do |payload|
+    instrument('valid_group?.ldap_fluff', :gid => gid) do |_payload|
       @ldap.group_exists? gid
     end
   end
 
   # return ldap entry
   def find_user(uid)
-    instrument('find_user.ldap_fluff', :uid => uid) do |payload|
+    instrument('find_user.ldap_fluff', :uid => uid) do |_payload|
       @ldap.member_service.find_user(uid)
     end
   end
 
   # return ldap entry
   def find_group(gid)
-    instrument('find_group.ldap_fluff', :gid => gid) do |payload|
+    instrument('find_group.ldap_fluff', :gid => gid) do |_payload|
       @ldap.member_service.find_group(gid)
     end
   end

data/lib/ldap_fluff/netiq.rb

@@ -0,0 +1,6 @@
+class LdapFluff::NetIQ < LdapFluff::Posix
+  def create_member_service(config)
+    service_bind
+    super(config)
+  end
+end

data/lib/ldap_fluff/netiq_member_service.rb

@@ -0,0 +1,43 @@
+require 'net/ldap'
+
+# handles the naughty bits of posix ldap
+class LdapFluff::NetIQ::MemberService < LdapFluff::Posix::MemberService
+  def initialize(ldap, config)
+    super
+    # set default after super, because Posix' initialize would overwrite it otherwise
+    @attr_login = (config.attr_login || 'uid')
+  end
+
+  def find_by_dn(search_dn)
+    entry, base = search_dn.split(/(?<!\\),/, 2)
+    _entry_attr, entry_value = entry.split('=', 2)
+    entry_value = entry_value.gsub('\,', ',')
+    user = @ldap.search(:filter => name_filter(entry_value, 'workforceid'), :base => base)
+    raise self.class::UIDNotFoundException if (user.nil? || user.empty?)
+    user
+  end
+
+  def get_logins(userlist)
+    userlist.map do |current_user|
+      find_by_dn(current_user&.downcase)[0][@attr_login][0]
+    end
+  end
+
+  # return an ldap user with groups attached
+  # note : this method is not particularly fast for large ldap systems
+  def find_user_groups(uid)
+    filter = Net::LDAP::Filter.eq('memberuid', uid)
+    begin
+      user = find_user(uid)[0][:dn][0]
+      filter |= Net::LDAP::Filter.eq('member', user)
+    rescue UIDNotFoundException
+      # do nothing
+    end
+
+    @ldap.search(
+      :filter => filter,
+      :base => @group_base,
+      :attributes => ['cn']
+    ).map { |entry| entry[:cn][0] }
+  end
+end

data/lib/ldap_fluff/posix.rb

@@ -1,10 +1,9 @@
 class LdapFluff::Posix < LdapFluff::Generic
-
   def bind?(uid = nil, password = nil, opts = {})
     unless uid.include?(',') || opts[:search] == false
       service_bind
       user = @member_service.find_user(uid)
-      uid = user.first.dn if user && user.first
+      uid = user.first.dn if user&.first
     end
     @ldap.auth(uid, password)
     @ldap.bind
@@ -17,14 +16,14 @@ class LdapFluff::Posix < LdapFluff::Generic
     # we have to look for OUs or posixGroups within the current group scope,
     # i.e: cn=ldapusers,ou=groups,dc=example,dc=com -> cn=myusers,cn=ldapusers,ou=gr...
 
-    if @use_netgroups
-      filter = Net::LDAP::Filter.eq('objectClass', 'nisNetgroup')
-    else
-      filter = Net::LDAP::Filter.eq('objectClass','posixGroup') |
-               Net::LDAP::Filter.eq('objectClass', 'organizationalunit') |
-               Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') |
-               Net::LDAP::Filter.eq('objectClass', 'groupOfNames')
-    end
+    filter = if @use_netgroups
+               Net::LDAP::Filter.eq('objectClass', 'nisNetgroup')
+             else
+               Net::LDAP::Filter.eq('objectClass', 'posixGroup') |
+                 Net::LDAP::Filter.eq('objectClass', 'organizationalunit') |
+                 Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') |
+                 Net::LDAP::Filter.eq('objectClass', 'groupOfNames')
+             end
     groups = @ldap.search(:base => search.dn, :filter => filter)
     members = groups.map { |group| group.send(method) }.flatten.uniq
 

data/lib/ldap_fluff/posix_member_service.rb

@@ -2,7 +2,6 @@ require 'net/ldap'
 
 # handles the naughty bits of posix ldap
 class LdapFluff::Posix::MemberService < LdapFluff::GenericMemberService
-
   def initialize(ldap, config)
     @attr_login = (config.attr_login || 'memberuid')
     super
@@ -18,37 +17,18 @@ class LdapFluff::Posix::MemberService < LdapFluff::GenericMemberService
   # note : this method is not particularly fast for large ldap systems
   def find_user_groups(uid)
     groups = []
-    @ldap.search(:filter => Net::LDAP::Filter.eq('memberuid', uid), :base => @group_base).each do |entry|
+    @ldap.search(
+      :filter => Net::LDAP::Filter.eq('memberuid', uid),
+      :base => @group_base, :attributes => ["cn"]
+    ).each do |entry|
       groups << entry[:cn][0]
     end
     groups
   end
 
-  def times_in_groups(uid, gids, all)
-    filters = []
-    gids.each do |cn|
-      filters << group_filter(cn)
-    end
-    group_filters = merge_filters(filters, all)
-    filter        = name_filter(uid) & group_filters
-    @ldap.search(:base => @group_base, :filter => filter).size
-  end
-
-  # AND or OR all of the filters together
-  def merge_filters(filters = [], all = false)
-    if !filters.nil? && filters.size >= 1
-      filter = filters[0]
-      filters[1..(filters.size - 1)].each do |gfilter|
-        filter = (all ? filter & gfilter : filter | gfilter)
-      end
-      return filter
-    end
-  end
-
   class UIDNotFoundException < LdapFluff::Error
   end
 
   class GIDNotFoundException < LdapFluff::Error
   end
-
 end

data/lib/ldap_fluff/posix_netgroup_member_service.rb

@@ -2,7 +2,6 @@ require 'net/ldap'
 
 # handles the naughty bits of posix ldap
 class LdapFluff::Posix::NetgroupMemberService < LdapFluff::Posix::MemberService
-
   # return list of group CNs for a user
   def find_user_groups(uid)
     groups = []
@@ -12,5 +11,4 @@ class LdapFluff::Posix::NetgroupMemberService < LdapFluff::Posix::MemberService
     end
     groups
   end
-
 end

data/lib/ldap_fluff.rb

@@ -11,3 +11,5 @@ require 'ldap_fluff/posix_netgroup_member_service'
 require 'ldap_fluff/freeipa'
 require 'ldap_fluff/freeipa_member_service'
 require 'ldap_fluff/freeipa_netgroup_member_service'
+require 'ldap_fluff/netiq'
+require 'ldap_fluff/netiq_member_service'

data/test/ad_member_services_test.rb

@@ -1,6 +1,6 @@
 require 'lib/ldap_test_helper'
 
-class TestADMemberService < MiniTest::Test
+class TestADMemberService < Minitest::Test
   include LdapTestHelper
 
   def setup
@@ -11,6 +11,7 @@ class TestADMemberService < MiniTest::Test
 
   def basic_user
     @ldap.expect(:search, ad_user_payload, [:filter => ad_name_filter("john")])
+    @ldap.expect(:search, [{ :domainfunctionality => ['5'] }], [:base => "", :scope => 0, :attributes => ['domainFunctionality']])
     @ldap.expect(:search, ad_parent_payload(1), [:base => ad_group_dn, :scope => 0, :attributes => ['memberof']])
   end
 
@@ -20,7 +21,7 @@ class TestADMemberService < MiniTest::Test
 
   def nest_deep(n)
     # add all the expects
-    1.upto(n-1) do |i|
+    1.upto(n - 1) do |i|
       @ldap.expect(:search, ad_parent_payload(i + 1), [:base => ad_group_dn("bros#{i}"), :scope => 0, :attributes => ['memberof']])
     end
     # terminate or we loop FOREVER
@@ -39,11 +40,19 @@ class TestADMemberService < MiniTest::Test
     end
   end
 
+  def transitive_user
+    ad_transitive_payload = [{ 'msds-memberoftransitive' => [ad_group_dn("bros#1"), ad_group_dn("bros#2"), ad_group_dn("bros#3"), ad_group_dn("bros#4"), ad_group_dn("bros#5")] }]
+
+    @ldap.expect(:search, ad_user_payload('john'), [:filter => ad_name_filter("john")])
+    @ldap.expect(:search, [{ :domainfunctionality => ['6'] }], [:base => "", :scope => 0, :attributes => ['domainFunctionality']])
+    @ldap.expect(:search, ad_transitive_payload, [:base => ad_user_dn("john"), :scope => 0, :attributes => ['msds-memberOfTransitive']])
+  end
+
   def test_find_user
     basic_user
     @ldap.expect(:search, [], [:base => ad_group_dn('bros1'), :scope => 0, :attributes => ['memberof']])
     @adms.ldap = @ldap
-    assert_equal(%w(group bros1), @adms.find_user_groups("john"))
+    assert_equal(%w[group bros1], @adms.find_user_groups("john"))
     @ldap.verify
   end
 
@@ -53,7 +62,7 @@ class TestADMemberService < MiniTest::Test
     # now make 'bros1' be memberof 'group' again
     @ldap.expect(:search, ad_user_payload, [:base => ad_group_dn('bros1'), :scope => 0, :attributes => ['memberof']])
     @adms.ldap = @ldap
-    assert_equal(%w(group bros1), @adms.find_user_groups("john"))
+    assert_equal(%w[group bros1], @adms.find_user_groups("john"))
     @ldap.verify
   end
 
@@ -82,6 +91,13 @@ class TestADMemberService < MiniTest::Test
     @ldap.verify
   end
 
+  def test_transitive_groups
+    transitive_user
+    @adms.ldap = @ldap
+    assert_equal(5, @adms.find_user_groups('john').size)
+    @ldap.verify
+  end
+
   def test_nil_payload
     assert_equal([], @adms._groups_from_ldap_data(nil))
   end
@@ -160,5 +176,4 @@ class TestADMemberService < MiniTest::Test
     entry = Net::LDAP::Entry.new('Example User')
     assert_nil(@adms.get_login_from_entry(entry))
   end
-
 end