I have integrated OBIEE 11g with Active Directory successfully. The User Base DN is as follows : "OU = Departments, DC=[DC NAME],DC=[DC NAME]". However I would need to add another "OU = Branches" to it.
How can I do it.Do we have any 'OR' command to it? SO that, it traverses through multiple OU.
The LDAP query operator for OR is "|" - ref.http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
So (|(ou=A)(ou=B)(etc.))
Related
What would be the syntax for LDAP for the below scenario:
Where sAMAccountName = GRA-* without $. I want the records which are highlighted in green.
This is my current LADP Filter for your reference:
(&(objectClass=user)sAMAccountName=GRA-*))
Anyone, Please help with the correct syntax.
Your filter can work, but you're missing a ( in front of sAMAccountName:
(&(objectClass=user)(sAMAccountName=GRA-*))
But you may be able to do better. If those ones that end in $ are computer objects (which always have sAMAccountNames that end in $, but also have an objectClass of user), then you can make sure you only get user objects by including (objectCategory=person):
(&(objectClass=user)(objectCategory=person)(sAMAccountName=GRA-*))
If, for whatever reason, those $ objects are actually user accounts, then you can exclude them with (!sAMAccountName=*$):
(&(objectClass=user)(objectCategory=person)(sAMAccountName=GRA-*)(!sAMAccountName=*$))
I've been asked to pull a report containing User's name, username, enabled/disabled, and the last login time from our Windows server 2008 domain. I'm using the script below and it's working, but the problem is it's pulling built-in security accounts and some system accounts, and I need just users. Does anyone know if this filtering is possible? The script I'm using is below. Thanks in advance!
$ADUserParams=#{
'Server' = 'servername.domain.local'
'Searchbase' = 'DC=domain,DC=local'
'Searchscope'= 'Subtree'
'Filter' = '*'
'Properties' = '*'
}
$SelectParams=#{
'Property' = 'CN', 'SAMAccountname', 'DisplayName', 'enabled', 'lastlogondate',
}
get-aduser #ADUserParams | select-object #SelectParams | export-csv "c:\temp\users.csv"
At the very least you'll want to modify your filter to something like:
'(&(|(objectclass=person)(objectclass=inetorgperson))(!(objectclass=computer)))'.
That will still leave Administrator, Guest and and domain/realm trusts you've got, but otherwise it's pretty clean.
'(&(sAMAccountType=805306368)(!(isCriticalSystemObject=TRUE)))' is even cleaner, and may be exactly what you need. This uses sAMAccountType, but I pulled from existing AD users rather than build that value from scratch.
Also there is no Enabled attribute. The closest you can get is userAccountControl. lastLogonDate is actually lastLogonTimestamp.
part of your requirements for the report are to show all users in AD, this would include system and built-in accounts. That being said, ff you can exclude the OUs or containers that contain the built-in/system accounts you don't want in the report that would be easiest. It looks like your trying to audit the whole AD DS and should use exclusions otherwise only include the OU that contains the User Accounts as long as it is only possible to not have User accounts anywhere else.
It really depends on what you can use to separate your built-ins and system accounts.
The easiest way would be to add a SearchBase to your $ADUserParams:
$ADUserParams=#{
'Server' = 'servername.domain.local'
...
'SearchBase' = 'OU=Lemmings,DC=contoso,DC=com'
}
If there's one OU that you need to filter out, try adding a Where-Object:
get-aduser #ADUserParams | ?{$_.DistinguishedName -notlike '*ou=Beancounters,*'} | select-object #SelectParams | export-csv c:\temp\users.csv"
The ?{ } bit is an alias for the Where-Object command. $_ represents the objects passed along the pipe.
This is all assuming that these accounts are cleanly separated by OU, however. I know this isn't true in my environment.
You might have to play around for a while before finding something that will separate your users cleanly. It might help to store your initial query as a variable, $users = Get-ADUser #ADUserParams, and see what you can pick apart:
$users | ?{$_.SomeProperty -eq 'SomeValue'}
Try running $users[0] to get an idea of what properties there might be to help you filter through these users. If you need to wrap your head around things like -eq and -like, take a look here.
If all the accounts you're wanting to filter contain a character like $, you could filter the output like so:
$users | ?{$_.SamAccountName -notlike "*$*"}
I have a server with its own local Groups. These groups hold AD users. I use them to apply permissions for the user in a web app. I need to generate a list of all the users in the group.
This is the script I'm trying to use:
dsquery group -samid "MyGroup" | dsget group "MyGroup" -members >c:\List.txt
I've tried many generations of this code and all I get are errors. At least this one creates a text file before it errors (with nothing in it).
So what am I doing wrong (I confess I'm new to this command line tool).
EDIT: the error I'm getting is "dsget failed:Value for 'Target object for this command' has incorrect format."
Thanks in advance.
I too am a newbie.
But I beleive you want is:
dsquery group -name "MyGroup" | dsget group -members > c:\List.txt
Where you replace "MyGroup" with the name of the group you are looking for. If looking for multiple groups which begin the same way, surround MyGroup with asterisks instead of quotation marks.
I am trying to adapt the Zend Skeleton App to use an ODBC connection. I am able to set up a PDO connection outside of Zend (same table, server, everything) like this:
new PDO('odbc:DRIVER={iSeries Access ODBC Driver};SYSTEM=<serverName>;HOSTNAME=<serverName>;DATABASE=<databaseName>;',
'<userName>', '<password>');
$r = $this->conn->query('SELECT * FROM <databaseName>.<tableName>');
But when I add this information to the global.php file:
'db' => array(
'driver' => 'Pdo',
'dsn' => 'odbc:DRIVER={iSeries Access ODBC Driver};SYSTEM=<serverName>;HOSTNAME=<serverName>;DATABASE=<databaseName>;',
),
And in local.php:
return array(
'db' => array(
'username' => '<userName>',
'password' => '<password>',
),
);
I get an error that the table is not found:
SQLSTATE[42S02]: Base table or view not found: 0 [IBM][iSeries Access ODBC Driver][DB2 UDB]SQL0204 - <tableName> in <userName - yes you read that right> type *FILE not found.
I believe this is because my prefixed <databaseName>.<tableName> is being wrapped in double quotes when the query runs through Zend. I cannot explain why Zend is looking for my table under userName. However, I cannot get PDO to recognize the table without the prefix, even though I have tried declaring my database in the initialization of the PDO every way I can think of.
Is there a way for PDO to actually pick up the database name so I don't need the prefix? Or is there a way to tell Zend to use the prefix (not lumped in the quotes with the table name)?
Please pardon if I'm using the wrong language here - I get a little lost between Schema, Database, Library, File, Table, etc. when I'm going between SQL and iSeries.
I really appreciate any help you can offer, Zend is new to me.
Not familiar with PDO, as I use ibm_db2, but the database name can be found with the CL command WRKRDBDIRE.
With *SQL naming, an unqualified table name (SELECT * FROM TABLENAME) is implicitly qualified with the user profile name. So if SARAHK is executing the select, it becomes SELECT * FROM SARAHK.TABLENAME. So the error you're seeing indicates that IBM i thinks you have an unqualified table name.
If you could configure the ODBC driver to use *SYSTEM naming, it would use the library list to locate unqualified table names.
I'm an old school RPG programmer, so I'm more familiar with the traditional names; here's a cheat sheet:
Library -> Schema
File -> Table
Member -> No SQL equivalent - use ALIAS
I just went through the process of converting the tutorial to connect to IBM i with the ODBC driver but did not want to specify (a.k.a. hardcode) the library in the connection string. Setting the "NAMING" parameter to '1' (*SYS rather than *SQL) will use the *USRLIBL of the user's connection/profile/JOBD (WRKJOBD INLLIBL( ...) ). If you use *SQL naming, it will take the User ID as the Schema when searching for the table.
My DSN looks like this:
'dsn' => "odbc:DRIVER={iSeries Access ODBC Driver};SYSTEM= your host IP;HOSTNAME=your host;DATABASE=your dbname;NAMING=1"
As long as the table I'm looking for is in the *LIBL, I don't have to worry about schema at the client.
I solved this by finally finding an addition to my DSN that properly specified the library/schema I wanted to work under. This site (http://www.sqlthing.com/HowardsODBCiSeriesFAQ.htm) gave me the parameter DBQ=<libraryName> which finally worked for me after trying DATABASE, DBNAME, and many others.
Now that my library is properly specified in my connection string, I don't need to prefix the table name so my queries work even though I never got Zend to take a schema in the construction of a TableGateway. I'm going to mark this as an answer for now, but if anyone knows how to send a schema name to a new TableGateway I would be happy to change that.
I have a large Openldap directory. In the directory the display name property for every is filled but i need to modify these entry and make it like "givenName + + sn". Is there are way i can do it directly in the directory just like sql queries (update query). I have read about the ldapmodify but could not find the way to use it like this.
Any help in this regard will be appreciated.
There is no way to do this with a single LDAP API call. You'll always have to use one LDAP search operation to get givenname and sn attributes, and one LDAP modify operation to modify the displayName attribute.
If you use the command line ldaptools "ldapsearch" and "ldapmodify", you can do this easily with some shell scripting, but you'll have to be careful: sometimes ldapsearch(1) can return LDIF data in base64 format, with UTF-8 strings that contain characters beyond ascii. For instance: 'sn:: Base64data' (note the double ':')
So, if I were you I would use a simple script in my language of choice, that has an LDAP API, instead of using shell commands. This would save me the troubles of base64 decoding that the ldaptools sometimes impose.
For instance, with php-cli, your script would be roughly like this (perhaps some more error checking would be appropriate):
<?php
$ldap = ldap_connect('host');
ldap_bind($ldap, ...);
$sr = ldap_search($ldap, 'ou=people,...', 'objectclass=*');
$entries= ldap_get_entries($ldap, $sr);
for($i=0; $i<$entries['count']; $i++) {
$modify = array('displayname' => $entries[$i]['givenname'] . ' ' . $entries[$i]['sn']);
ldap_modify($ldap, $entries[$i]['dn'], $modify);
}
Addendum: if you want to keep this data up to date without any intervention, you will probably need to use a specialized OpenLDAP module that keeps "virtual" attributes, or even a virtual directory, such as Penrose or Oracle Virtual Directory, on top of OpenLDAP. However this might be overkill for a simple concatenation of attributes.