Active Directory/LDAP equivalent of namespaces?

In cod开发者_运维技巧e, I have "employees" with roles in Category.Role format, where Category is a type of role. For example, Foo.Bar and Foo.Foobar -- both are Foo roles. Foo isn't actually a namespace in my project, but I'm thinking of it in that way.

Is there some container or hierarchical role/group equivalent in Active Directory, that I can assign and/or read out of an LDAP query, such that I could both query for everyone with any Foo role, or a specific Foo.X role?

In Active Directory, you can assign group as a member of another group. So, if I understand correctly, what you want is to create an AD group called "Foo" and then create two subgroups called "Foo.Bar" and "Foo.Foobar". Assign those two subgroups as members of group "Foo".

Then, for the user assinged to group "Foo.Bar". He will be in the role of both "Foo" and "Foo.Bar". That means if you got the WindowsPrincipal of that user, both WindowsPrincipal.IsInRole("Foo") and WindowsPrincipal.IsInRole("Foo.Bar") return true.

If you are not using IsInRole() function to check the membership but a pure LDAP query, I am afraid we cannot find an easy way to work out the nested group relationship. If you really want to look into the way to make one single LDAP query call, try to look for the "tokenGroups" attribute on the AD user object. It is a computed attribute calculated by AD on the fly. It contains all the nested group information. The only thing is that it's storing SID. So, you need to find out the SID of your AD group, convert it to the LDAP binary format and do the query.