none
LDAP Filter, limiting to specific OU RRS feed

  • Question

  • I am trying to get an LDAP Filter to filter user accounts, but i need to specify the base OU as i dont want it to default to the root of the domain as to not find service accounts. 

    here is what i try and it doesnt work

    Sites DistinguishedName=OU=Sites,DC=HILLNET,DC=ad,DC=hsd,DC=k12,DC=or,DC=us

    (&(objectClass=user)(distinguishedName=*sites*)(mail=*)(!(mail=*_*))(!(description=Student*))(!(objectClass=computer)))

    When i pull out the (distinguishedName=*sites*) then the filter works, but it pulls from the root of the domain. 

    is what im trying to do even possible?

    Thursday, June 11, 2015 3:19 PM

Answers

  • LDAP filter does not support specifying an OU.

    Instead, you change the base OU of the search rather than putting the OU in the filter itself.


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Obannon Thursday, June 11, 2015 5:34 PM
    Thursday, June 11, 2015 3:30 PM
    Moderator
  • You cannot use wildcards in a filter involving any DN attribute, like distinguishedName, member, or memberOf. Instead, you must specify the base of the query. What tool are you using? For example, if you use dsquery, to specity base similar to below:

    dsquery * "ou=Sites,dc=Hillnet,dc=ad,dc=hsd,dc=k12,dc=or,dc=us" Filter "(&(objectCategory=person)(objectClass=user)(mail=*)(!(mail=*_*))(description=student*))

    I also note that the filter clauses for user objects is more commonly (&(objectCategory=person)(objectClass=user)). If you intend the base to include several DN's, each with "ou=Sites" in the distinguishedName, you need to make several queries, or filter the results after retrieving all results from a common base. There is no other workaround.


    Richard Mueller - MVP Directory Services


    Thursday, June 11, 2015 3:32 PM
    Moderator

All replies

  • LDAP filter does not support specifying an OU.

    Instead, you change the base OU of the search rather than putting the OU in the filter itself.


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Obannon Thursday, June 11, 2015 5:34 PM
    Thursday, June 11, 2015 3:30 PM
    Moderator
  • You cannot use wildcards in a filter involving any DN attribute, like distinguishedName, member, or memberOf. Instead, you must specify the base of the query. What tool are you using? For example, if you use dsquery, to specity base similar to below:

    dsquery * "ou=Sites,dc=Hillnet,dc=ad,dc=hsd,dc=k12,dc=or,dc=us" Filter "(&(objectCategory=person)(objectClass=user)(mail=*)(!(mail=*_*))(description=student*))

    I also note that the filter clauses for user objects is more commonly (&(objectCategory=person)(objectClass=user)). If you intend the base to include several DN's, each with "ou=Sites" in the distinguishedName, you need to make several queries, or filter the results after retrieving all results from a common base. There is no other workaround.


    Richard Mueller - MVP Directory Services


    Thursday, June 11, 2015 3:32 PM
    Moderator
  • Thats what i figured. We currently use UMRA(Tools4Ever) for the auto group mappings, which uses an access database that has the filters in a table that we base group mappings on. 

    most likely we will need to add a description for all service accounts that we dont want and filter those out.

    Thanks guys.

    Thursday, June 11, 2015 5:34 PM