I am looking to include two separate OUs in an LDAP search string. I've searched for answers and found some but none seem to work once I include the second OU. Specifically, this is to narrow down a scan to email list on a Canon Copier. The following string works on a single OU:
OU=People (Staff),DC=DOMAIN1,DC=DOMAIN2,DC=com
I'd like to add a second OU so all emails included in the second OU are also available in the scan to email address search. The second one is OU=People (Vendors)
I can remove the OU completely but the search takes too long without the extra filter. Is this possible? Thanks.
Depends.
The Extensible Match Search Filter supports this functionality assuming that your LDAP server implementations supports that functionality. (Microsoft Active Directory does NOT support this)
(&(|(ou:dn:=People (Staff))(ou:dn:=OU=People (Vendors)))(objectclass=inetorgperson))
Related
I have been wondering whether it is possible to limit OUs in search base. This is how my hierarchy looks like:
Now, my search base is: dc=prod,dc=prod,dc=co
Is there possibility to limit user search only to these:
OU=PROD,OU=SYS
OU=PROD,OU=Int
OU=UNIX
I'm a noob in this area, would be really welcome if someone could help.
Not sure if it is possible to use userSearchBase for multiple OUs (so far I understood that it is not possible, although for sssd I saw example which works)
I think some user search filter might do it but wasn't really successful unfortunately
Yes, you can limit the search base to multiple or single OU's.
Ranger does accept multiple search bases, for example:-
OU=PROD,OU=SYS,dc=prod,dc=prod,dc=co;OU=PROD,OU=Int,dc=prod,dc=prod,dc;OU=UNIX,dc=prod,dc=prod,dc=co
Few thing to note, it has to be separated by ";" and it needs full path including "dc" values.
I am using a sample LDAP which is available online here.
I want to retrieve a user's group membership given their uid. In the example, Gauss (uid=gauss) is a member of the Mathematicians group (ou=mathematicians,dc=example,dc=com).
I tried several LDAP queries but I cannot seem to find the one that returns me the ou=mathematicians given the uid.
There are a lot of similar answers on SO but none seem to fit this very simple use case.
Thanks,
David.
You won't be able to retrieve the group membership by simply using the uid as the groupmemberships are stored using the uniqueMember-attribute which requires a complete DN as value. Therefore you'll have to use a searchfilter like uniqueMember=uid=gauss,dc=example,dc=com.
You might think "that's great, so I just add uid=gauss to the baseDN and I'm finished". You might not always have luck with that as it's not defined that users have to be located right in the baseDN. They might be distributed acros the complete LDAP-tree and then it's going to be tough. But when you already have searched for the user (IE for binding) you got the DN back "for free" so you can use that on.
Hope that helps!
Not sure if I get right what you want to do, but retrieving group membership is done by a filter similar to this one:
(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=<<<USER-DN>>>))
I always pull the user dn with a seperate search:
(&(objectCategory=person)(objectClass=user)(samaccountname=<<<USER LOGON NAME>>>))
I don't know if uid, dn and samaccountname can be used in every filter interchangeable, but try it with uid=<<>> instead.
See this article for details : https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
We have an LDAP with a number of groups that follow this pattern:
Acme-MyApp-ABC-Admin
Acme-MyApp-ABC-Bottlewasher
Acme-MyApp-ABC-Cook
Acme-MyApp-DEF-Admin
Acme-MyApp-DEF-Bottlewasher
Acme-MyApp-DEF-Cook
etc repeated many times.
(&(objectClass=person)(memberOf=cn=Acme-MyApp-ABC-Admin,ou=Groups,dc=acme,dc=com))
correctly returns members of the Acme-MyApp-ABC-Admin group. We'd like to find members of all of the Admin groups.
(&(objectClass=person)(memberOf=cn=*-Admin,ou=Groups,dc=acme,dc=com))
Is it possible to put a wildcard within a DN?
Generally, Wildcard searches on DN's syntax attributes are not supported.
Some LDAP server implementation may support them. You question is tagged as OpenLDAP but the search filter appears to be more like an AD implementation.
I did find "Question about using an LDAP filter to get memberOf from an AD Group" on TechNet stating, ".. that wildcards are no allowed." (I am assuming he met NOT vs no)
-jim
While I do not think that this can be done with the ldap filter directly. I have faced similar requirements many times and my go to method is as following:
Create a group that encapsles all relevant groups, in your case the admin groups.
Acme-MyApp-Admins
Acme-MyApp-ABC-Admin
Acme-MyApp-DEF-Admin
Then setup a filter based on the recursive membership of that group.
(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=Acme-MyApp-Admins,ou=Groups,dc=acme,dc=com))
This way you only need to take care that every new admin group is added as a member of the access group, but you do not need to modify the ldap filter.
I have a series of users and groups. Users' DNs can be added to the group's uniquemember attribute. How can I query LDAP such that I send a user dn and it returns to me the OU of the group that user belongs to?
I am doing this based on the LDAP at ldap.forumsys.com.
See the screenshot below:
Thanks.
What you want is a pretty common equality match filter, for example:
(uniquemember=uid=einstein,dc=example,dc=com)
Note, that the value is not quoted. You only need to escape / replace special characters (e.g. parenthesis). More information about LDAP filter syntax can be found in RFC 4515.
Also keep in mind that LDAP filters are very simple and provide only simple value matching (this can be confusing to people used to SQL and complex queries with joins, subselects, functions, etc.).
This LDAP query successfully enumerates all users within a group:
memberOf=CN=MySubGroup1,OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
The group MyGroup1 has two subgroups: MySubGroup1, MySubGroup2.
In order to get all the users of MyGroup1, I could make a query to get the users of MySubGroup1, another query to get the users of MySubGroup1, and then make the union.
However, I am asking how I can achieve the same results with only one LDAP query,
asking for all the users within MyGroup1 and sub-groups.
Any idea?
There is no such thing as a subgroup, just groups. The correct term is subordinate,
i.e., cn=mysubgroup1 is subordinate to ou=mygroup1, and so forth.
Use the following parameters in an LDAP search request:
base object: OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
search scope: sub if there is more than one 'level' beneath ou=mygroup1, one otherwise
filter: (|(cn=mysubgroup1)(cn=mysubgroup2))
requested attribute: whichever multi-valued attribute whose value is the distinguished name
of each member of the group
These search request parameters should result in a search result with two entries, the distinguished
of each entry, and the attributes whose values are the distinguished names of the members of each group.
see also
LDAP: Seach best practices
LDAP: Programming practices
If your server is Microsoft Active Directory then you can use some extended rules. One of those rules does basically what you are looking for. Look at this answer.
Try this:
memberof:1.2.840.113556.1.4.1941:=CN=Some Group,OU=My Organization Unit,DC=company,DC=com
Quoting from that answer:
[...] it is possible, when using Microsoft AD LDAP, to do authorization using nested groups by using LDAP_MATCHING_RULE_IN_CHAIN matching rule. This is much faster than searching subgroups on the client, because it is done on the DC server with less queries over network.
1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN This rule is limited to filters that apply to the DN. This is a special "extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.