LDAP BaseDN Setup

I am having an issue with the BaseDN syntax for my active directory setup. Below is my AD structure, I’m hoping I can get the BaseDN setup correctly so I can just import actual user (not computer) accounts.

The Administrators OU includes users and computers; the Users OU only includes users. The reason why I am not using the default folder (/root/users/) is because of Group Policy.






Right now, I have my BaseDN setup like this: ou=teammembers;dc=sub,dc=domain,dc=com

Is there a way to include the administrators and users groups in one BaseDN?

I had a similar issue and endend up creating a new OU to house all the various user OU’s.

You could use the entire tree for your baseDN instead of the an OU. But since you mentioned Group Policy I would feel remiss if I did not mention that your could restruction your OUs to better accommodate LDAP query program like Openfire. The side benefit would be more granularity in your group policies. Also it is really bad form to use the default containers Users Computers for devices you have added. For example, my structure is roughly:

  • domain.com

  • DomainAccounts

  • Admins

  • LocationA

  • LocationB

  • SecurityGroups

  • DistributionGroups

  • DomainComputers

  • Admins

  • LocationA

  • LocationB

  • Domain Controllers

  • Exchange Servers

Under this settiing your OU Domain Accounts would be your baseDN. It would include all users and groups, but exclude computers. You can create new OUs at any point. You can move existing structure as well, to nest existing OUs to your benefit. It will throw a warning but I have never had it affect my users or computers as long as my policies move with the OUs.

Thanks for the quick replies.

So bottom line is that I can’t have multiple OUs in the BaseDN. I am ok with moving the OUs around.

mtstravel wrote:

Under this settiing your OU Domain Accounts would be your baseDN. It would include all users and groups, but exclude computers.

How does the groups thing work with Openfire? I know that there are many users listed in multiple groups, I do not think that is necessary…unless you convince me otherwise

I ended up doing something a bit differently - I had Openfire scan our domain from the root OU but then added a filter for both users and groups.

In other words, Openfire can “see” the entire OU structure but is only adding users that are a member of a particular group (it’s basically an “all users” group that we apply other policies to), and only groups that are a member of the “Openfire Groups” security group. The syntax for the filter is:

User filter: (objectClass=organizationalPerson)&(memberOf=CN=All Users,OU=Security Groups,OU=Users,DC=foo,DC=bar)

Group filter: (objectClass=group)&(memberOf=CN=Openfire Groups,OU=Security Groups,OU=Users,DC=foo,DC=bar)

This has worked great for us so far, but there are probably better ways of doing it…this just worked for our environment.

Openfire will read all groups in your baseDN but will not automatically share them. You must choose which groups to share. Personally I created a separate OU outside my baseDN for all my normal security/distribution groups. The created a ChatGroups OU in my DomainAccounts OU (my baseDN) for the groups I wanted Openfire to see/use.