AD LDAP Search Filter Assistance

John_Doe · October 1, 2005, 1:37am

okay,

I got Jive to integrate with LDAP just fine but can’'t seem to get my Search Filter working.

I’‘ve used SoftErra Ldap Browser and LDAP Browser Editor and my search filter works fine with both. But when I try to add it to the Jive config file it doesn’'t work.

My LDAP search filter is as follows (All users whose account is not disabled and member of Marketing Group)

(&(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(memberO f=CN=Marketing,CN=users,DC=craizie,DC=com))

below Is my config file.

Am I missing something in the Search Filter? Or in my LDAP configuration?

Thanks

Noah_Campbell · October 1, 2005, 12:50pm

This element in the query looks suspect

userAccountControl:1.2.840.113556.1.4.803:=2[/code]

What if you drop of the :1.2.840.113556.1.4.803:[/b]? I think that’'s only to specify the data type, but I could be mistaken.

Noah

Cameron_Moore · October 3, 2005, 1:34pm

Noah,

I believe the

userAccountControl:1.2.840.113556.1.4.803:=2[/code]

filter works properly. That’‘s how Active Directory does bitwise permissions. If that value equals 2, the account is disabled. What I’'m not sure of is if it works properly in JM. It does work properly from the linux command line.

Cameron_Moore · October 3, 2005, 1:52pm

SupaXStarz,

Your filter does appear to be valid. One small tidbit is that if you are doing all & operations, you can keep them on the same level, like this:

(&(A)(B)(!©))[/code]

So you could simplify your filter a little by using this:

(&

(objectClass=user)

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

(memberOf=CN=Marketing,CN=users,DC=craizie,DC=com)

)[/code]

What happens if you take the userAccountControl check out? Do you get all the users including the disabled ones?

It appears there may be another way to select only active accounts according to this thread:

http://jivesoftware.org/community/thread.jspa?messageID=99971

Use userAccountControl=66048[/b] to select only active accounts. Try that and see if it makes any difference.

John_Doe · October 3, 2005, 6:03pm

Noah,

the LDAP query against AD does not work without :1.2.840.113556.1.4.803: in either Jive or any other LDAP Browser

I’'m running Jive 2.2.0 on Windows 2000 Advanced if that helps anyone.

Thanks.

John_Doe · October 3, 2005, 6:14pm

hrothgar,

The simplified query you supplied works on LDAP browers but still not in Jive. I can log onto Jive with the search query but all the AD accounts still show up without any disabled or non member accounts being filtered out.

Is there something I’'m forgetting to include in my config file?

Has anyone else in Windows 2000 Environment having similar problems? Or has anyone else been able to get search filter working in Jive and Windows 2K?

Thanks.

John_Doe · October 3, 2005, 6:29pm

Tried the userAccountControl=66048 and it works

Thanks You Guys!