AnsweredAssumed Answered

LDAP AD - Filter query to include multiple "subgroups"

Question asked by buimichael on May 14, 2018

I have the following structure in the AD:

 

DC=intra
--DC=company
----OU=Company
------OU=Users
------OU=Groups
--------OU=Roles and Departments
------OU=Mailing Groups
--------OU=Mail distribution

 

What I want is to fetch groups from "Roles and Departments" and "Mail distribution" (including all child groups) and all users under "Users".

 

What i've attempted so far:

 

Attempt 1:
In the first attempt I tried to setup two authentication subsystems, ldap1:ldap-ad, ldap2:ldap-ad. This did not work that well since the groups from ldap2 was empty (no members).

ldap-ad1 setup:

ldap.synchronization.personQuery=(&(objectClass\=person)(!(objectClass\=computer)))
ldap.synchronization.userSearchBase=OU\=Users,OU\=Company,DC\=company,DC\=intra

 

ldap.synchronization.groupQuery=(objectclass\group)
ldap.synchronization.groupSearchBase=OU=Mail distribution,OU=Mailing Groups,OU\=Company,DC\=company,DC\=intra


ldap-ad2 setup:

ldap.synchronization.personQuery=(&(objectClass\=person)(!(objectClass\=computer)))
ldap.synchronization.userSearchBase=OU\=Users,OU\=Company,DC\=company,DC\=intra

 

ldap.synchronization.groupQuery=(objectclass\group)
ldap.synchronization.groupSearchBase=OU=Roles and Departments=OU=Groups,OU\=Company,DC\=company,DC\=intra

 

Attempt 2: 
In the second attempt I tried using some clever query filter (groupQuery) to separate these groups in one ldap configuration, however my knowledge on writing these filters are insufficient and I can't seem to get a correct one to work.

 

ldap.synchronization.personQuery=(&(objectClass\=person)(!(objectClass\=computer)))
ldap.synchronization.userSearchBase=OU\=Users,OU\=Company,DC\=company,DC\=intra


ldap.synchronization.groupQuery=(&(objectclass=group)(|(memberOf=OU=Roles and Departments=OU=Groups)(memberOf=OU=Mail distribution,OU=Mailing Groups)))
ldap.synchronization.groupSearchBase=OU\=Company,DC\=company,DC\=intra

 

Attempt 3:

In the last attempt i've just included all groups under intra>company>company, this is not that good however as it may include groups that are not supposed to be in the system.


ldap.synchronization.groupQuery=(objectclass\group)

ldap.synchronization.personQuery=(&(objectClass\=person)(!(objectClass\=computer)))

 

ldap.synchronization.userSearchBase=OU\=Users,OU\=Company,DC\=company,DC\=intra

ldap.synchronization.groupSearchBase=OU\=Company,DC\=company,DC\=intra


Ideally i'd like attempt 2 to work, but I simply can't get a filter query to do what I want. Any suggestions are greatly appreciated.

Outcomes