LDAP filter

Report Inappropriate Content · ‎08-29-2012

Hi all you AD/LDAP experts. I have a question or two for you this evening.

My filter looks like OU=Global,DC=Corp,DC=One,DC=Co

On top of that I have 6 LDAP OU defintions that each have a different RDN (which is OU=).

My question is (since I didn't set this up), if I have 6 OU definitions with unique RDN filters on the OU, there's no chance the filter will pick up anything outside of these definitions, right? I ask because it seems like we may be pulling from a directory we want to disclude. Is there a way to specifically uninclude a particular OU? Or are all the definitions critera TO include something (as opposed to a definition that excludes one)?

One last question.

If I have a filter that's just OU=Global,DC=Corp,DC=One,DC=Co. On this domain we have one OU definition which does NOT have an RDN. The only thing it has is the generic filter of (&(objectClass=person)(sn=*)(sAMAccountName=*)(!(objectClass=computer))). Does that mean this will include/search EVERY directory and subdirectory starting at the Global OU?

I appreciate all the help. I can't find answers to these questions on the wiki.

mamann · ‎08-29-2012

The filter will pick up all OU's under Global in the list.
Even if you set a deny filter on the OU for read in AD, User accounts inherently have read access which would override this at the OU level.

There's a few ways you could accomplish your goal though:
Make a LDAP OU definition for each OU you want to scan, to the highest level, without including the OU you don't want
Use a transform map to just ignore any record coming from that OU (May be the best idea)

In regards to your generic filter, short answer, yes.
This filter will look at all objects classified as "person" and not computer where the sn (surname) field is * and samaccountname (username) is *, essentially, yes this will import everything under the Global OU

Here's a handy LDAP reference site pertaining to AD
http://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx

Let me know if you need any further info and I'll be glad to help

Report Inappropriate Content · ‎08-30-2012

Thank you!

That helped answer some of my questions. Why would my 2nd filter above NOT include an OU that's one deeper? On this one..

OU=Global,DC=Corp,DC=One,DC=Co

It's pulling up all sub OUs but one in particular and that, oddly enough, is one I'm trying to get working. I don't have anything else on this particular LDAP server page with any other OU definitions. It, for one reason or another, doesn't pull in users of one of the sub OUs.

That got me thinking.. is it possible to use 2 OU filters for the RDN? I could create another OU definition on top of the 'global' one that would look for this one sub OU and nothing else. It's two OUs deep though and that's where I have a question.

is OU=NextOU,OU=FinalOU for the RDN acceptable? Where FinalOU is the actual OU that contains the members?

mamann · ‎08-30-2012

The filter should pick up all OU's underneath it, whether or not it actually inserts the data to your table it a different story.
Regarding the comment i made about the OU restriction earlier, where even if you deny access to it in AD, your user account will read it anyway, this still holds true at the OU level, but the object itself could be restricted from being read.
I.E.; You have a user account which can only be read by Domain admins, this account in fact would not be imported as Deny overrides Allow at the object level.

Yes you definitely can create 2 OU Definitions, each pointing to a specific RDN
Taking your example, your LDAP server base directory would be OU=Global,DC=Corp,DC=One,DC=Co
Your OU definition would be OU=NextOU,OU=FinalOU
Which would make your search path for that definition OU=NextOU,OU=FinalOU,OU=Global,DC=Corp,DC=One,DC=Co

There's a few key components to the LDAP import
Starting search directory + OU Definition gives the base path to search
In your definition, you have a filter which only allows objects specified in said filter
Lastly, the LDAP Server page has an attributes field which you can also use to filter what ldap fields you're importing in

Report Inappropriate Content · ‎08-30-2012

Thank you so much for your help in understanding this better. I am way more confident in dealing with LDAP and import sets in the future.

After struggling for quite a while on trying to get an OU to import, I found out someone created a script to ignore it. So that ended up being that part of the problem 🙂 But because of you I have a much better understanding of LDAP.

Thank you!