LDAP Filter not working

Paul54 · August 10, 2016, 6:54pm

I’ve got Openfire 4.0.2 installed and successfully querying LDAP on my Active Directory server. However, it’s pulling in computers objects as well as user objects. I have this value set set for the ldap.searchFilter property: (&(objectCategory=person)(mail=*)(objectClass=user)). In theory, this should filter out any object in the OU I specified that doesn’t have an email address (like a computer object and other User objects that I don’t want people to be able to chat with). In practice, I’m still seeing all objects in the OU I specified when I set up LDAP.

Can anyone help?

John_Oliver · August 10, 2016, 9:42pm

I use OpenLDAP. Dunno if my settings might help or steer you in the right direction:

ldap.searchFields = Username/uid,Name/cn

ldap.searchFilter = (&(objectClass=posixAccount)(uid={0}))

ldap.searchfilter = (&(objectClass=inetOrgPerson)(memberOf=cn=chat_users,cn=groups,dc=mydomain,dc=c om))

I can’t tell you why I wound up with two filters, but it works and it’s a black box to me, so I leave it the heck alone

Grigori · August 18, 2016, 11:44am

Hi!

Try to use something like this:

(&(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) (memberof=CN=,OU=,DC=domain,DC=com))

Couple of explanations:

samAccountType=805306368 select only users (more at https://msdn.microsoft.com/en-us/library/ms679637(v=vs.85).aspx )

userAccountControl:1.2.840.113556.1.4.803:=2 select only ative users (will filter out disabled users, so if you disable user, he will disappear from user list) (more at https://support.microsoft.com/en-us/kb/305144))

memberof=CN=,OU=,DC=domain,DC=com member of some group, for example openfire_users