LDAP Search Filter and Group search filter Help!

Tim_Harden · October 12, 2006, 4:53pm

Ok, I’‘ve been looking all over the forums pages and can’‘t find the answer I need. Below is what I’‘m trying to create for my search filter and group search filter. I can’‘t seem to get the search correct. I’‘m new to this and don’'t know how to put the string together.

I want to searchfilter to show just users that are members of all CN groups under a certen OU

I also want to groupsearchfilter the CN groups that are under that same OU

ADSI edit shows the following

Domain MNO.PQR.com

DC=PQR,DC=com

OU=State

OU=State Groups

OU=IM Groups

CN=Dept1 Grp

CN=Dept2 Grp

CN=Dept3 Grp

Can anyone show me how the serachfilter and groupsearchfilter for what I want?

I only want the users that are members of the Dept* Grp’'s

and I only want to show the Groups that are under the IM Groups OU.

Thanks in advance for any help.

RT

Cameron_Moore · October 12, 2006, 5:30pm

One important note: LDAP doesn’'t support filtering based on DN (ie. DN=CN=Some Group,OU=IM Groups,DC=MNO,DC=PQR,DC=COM). The only way to limit searches to that OU are to key off of some attribute inside the Group or to tell Wildfire to bind to that OU (with the baseDN directive).

What you can do is use sub-grouping. Create a global group called WildfireAccess. Make the groups you want to show up in Wildfire members of that new group. Do the same thing for the users you want to have access to Wildfire. Then adjust your filters to make sure that only users and groups that are members of the WildfireAccess group are selected.

For more details, see my replies to some really old posts that dealt with this issue:

http://www.jivesoftware.org/community/thread.jspa?messageID=120078&#120078

http://www.jivesoftware.org/community/thread.jspa?messageID=100951&#100951

Both of those posts were made back with the Jive forums had different markup tags to make things bold and such. Good luck.

Tim_Harden · October 12, 2006, 6:14pm

Thank you hrothgar.

In looking at your first old thread link.

Wouldn’‘t I be able to create a WildFire Group and just add my Dept1 Grp, Dept2 Grp, etc… group as members of that group and do the same thing? As users are already members of Dept* Grp’'s they would then inherit the WildFire Group?

If I then had my search filter just look at WildFire Group for both Users and Groups it would get both. Correct?

Thanks again.

Cameron_Moore · October 12, 2006, 10:02pm

That’‘s a good idea, but is that how it works? I’'m not at work right now to verify it.

Jay1 · November 28, 2006, 6:47pm

I am actually testing this now in win2k3 AD

e.g.

My search filters are setup to search only the “Wilefire IM Group”
“Widfire IM Group” is top level group with no actual user membership
“IT Group” is a member of the “Wildfire IM Group”

The users from “IT Group” can not login or authenticate to the Wildfire server.

If I add a user directly to the “Wildfire IM Group” they can login and authenticate.

Is there a way for Wildfire to find users that are part of Member Groups which are members of the Top Level Group?

Bill1 · November 28, 2006, 7:12pm

Group nesting is an AD thing, not an LDAP thing, and isnt currently supported to my knowledge.

Cameron_Moore · November 29, 2006, 4:35am

Thanks for the feedback, jaye. Your findings line up with my understanding of how the LDAP support works. Let me do a little explaining…

Wildfire uses the user search filter to get a list of users that should be given access. If user1 is a member of “IT Group” but not “Wildfire IM Group”, the LDAP user object will not have an attribute of “memberOf=CN=Wildfire IM Group” so the query will obviously fail. As wvankuyk noted, Wildfire doesn’‘t traverse nested group memberships, so this setup won’'t work.

Any Jive folks watching this discussion? How about adding a Feature Request for LDAP group membership traversal? This feature would make managing LDAP even easier than it already is.