AD users in multiple OU''s

EvinH · May 23, 2006, 7:27pm

Our AD environment has users split up into multiple OU’‘s. When adding the to the wildfire.xml config, it won’'t search users down the tree… just the current OU that is specified in the baseDN.

I added a group called Jabber to that OU, to see if that would work, but only the users in the baseDN OU show up.

Any ideas?

Thanks in advance!!!

Cameron_Moore · May 23, 2006, 7:52pm

Here’'s an idea: set baseDN[/b] to a BASE[/b] DN.

For example, say you have your users in following two OUs:

ou=Some Users,dc=example,dc=com

ou=Other Users,dc=example,dc=com[/code]

To get all your users, set the baseDN[/b] to this:

dc=example,dc=com[/code]

EvinH · May 23, 2006, 7:58pm

I have the baseDN set to DC=company,DC=com. So you would think it would search the whole tree, but it doesn’'t.

From what you are saying, it should search for users in any container below the baseDN, but it’‘s not working that way. Here’'s my config:

cn member description <![CDATA[

      (&
           (objectClass=group)               (memberOf=CN=Jabber,OU=morespe cificOU,OU=subcompany,DC=company,DC=com)
           (member=)

)]]>

Message was edited by: evinh

EvinH · May 24, 2006, 1:26pm

Any idea on this? I’‘ve also tried the tag with the OU’‘s where other users exist, and it still doesn’'t work. The only way it works is if users exist in the specific OU listed as the baseDN.

Thanks!

Cameron_Moore · May 24, 2006, 1:48pm

Try testing your search filters with LDAP Browser 2.6 http://www.ldapbrowser.com/. LDAP queries should traverse the sub-containers. I’‘m not sure why it’'s not working for you.

EvinH · May 25, 2006, 4:19pm

The search filters are working great. However, I did find that users outside of my context can log in fine, who are members of the group.

My context in AD contain’'s this… OU=Information Software / Technologies

Would the “/” be throwing off wildfire? It seems anyone outside of this can log in fine. However, when I add that OU as part of the baseDN, it works fine, except then my other users don’‘t show up because they’'re in other parts of the tree.

Interesting. I did find a bug relating to a “/” in a userDN, but not in an OU.

Any thoughts?

Message was edited by: evinh

Cameron_Moore · May 26, 2006, 2:47pm

Take the slash out and see what happens. This may be the bug detailed in JM-695.

EvinH · May 26, 2006, 2:59pm

Yeah, I saw that bug, and I agree, it’‘s probably the same thing. I’'ll give that a shot and see what happens.

thanks!

EvinH · May 26, 2006, 6:36pm

it was the “/”. Obviously LDAP doesn’‘t care, but for some reason the java code behind wildfire didn’'t like it. everything works great now! Thanks.