Solved

LDAP: using a filter to avoid a sub OU in Active Directory

Posted on 2009-07-08
4
3,064 Views
Last Modified: 2013-12-24

I have an application that pulls user information from an OU in Active Directory. The parameters it takes are a base for the search and a filter string.

I have an OU I want to pull information from, but there is a sub OU I want to avoid:

Wanted: users from OU=People,DC=mydomain,DC=com
Not Wanted: users from OU=Evil,OU=People,DC=mydomain,DC=com

I know that this could be done by rewriting the application performing the import to stop it searching sub-OUs, but is there any way to do this with an LDAP filter on the search? Something like (DistinguishedName !contains "Evil") or similar that will let me exclude users based on the path to the user, rather than filtering on a property of the user.
0
Comment
Question by:DrStalker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 6

Expert Comment

by:aces4all2008
ID: 24811391
To return all user objects you'd us an LDAP filter like the following:

"(&(objectClass=user))"

Because Microsoft's implementation of LDAP does not recognize OUs as directory objects you can't just skip specific OUs in your search.  What you can do is filter out objects with specific OUs as part of their distinguished name.  Just more work for the same result.  An LDAP filter that returns all user objects except those with the EVIL ou in their distinguished names would look like this:

"(&(objectClass=user)(!(ou:dn:=evil)))"
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 300 total points
ID: 24811581

MS doesn't support that syntax either. MS does recognise OUs as directory objects. That isn't the problem.

In short, you cannot filter on OU within an LDAP query against AD I'm afraid.

There are a few reasons for this, the most important being that there is no such attribute as "ou" applied to user accounts. Another is that you cannot use wildcards in values for distinguished names in a filter.

Filter syntax is discussed here:

http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx

Chris
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 200 total points
ID: 24813512
Yes unfortunately these is nothing you can do in a single LDAP query to filter out members of a particuar OU as the DN format does not accept wildcards.

If you were coding, you would need to do this after the query, but if all you have is the single LDAP filter in your app to play with, then the best I can think of is to add all the members of this OU to group, and filter on this group, i.e.

(&(your query so far)(!memberof=cn=mygroup,ou=someou,dc=domain,dc=local))

Not ideal. You can't even use a query based group as this wouldn't write to 'memberof' on the users. If you wanted to automate the membership of this group you could script this and get it to run periodically. So it would basically get all users in the OU in question and ensure that they are all members of this group, and subsequently these users would be excluded from your LDAP query.
0
 

Author Closing Comment

by:DrStalker
ID: 31601420
Thanks for the help, I'll purge the entries with SQL after they are imported (delete from table where DN like '%OU=Evil%') as a workaround.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Here's a look at newsworthy articles and community happenings during the last month.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question