Ok, I’‘ve been looking all over the forums pages and can’‘t find the answer I need. Below is what I’‘m trying to create for my search filter and group search filter. I can’‘t seem to get the search correct. I’‘m new to this and don’'t know how to put the string together.
I want to searchfilter to show just users that are members of all CN groups under a certen OU
I also want to groupsearchfilter the CN groups that are under that same OU
ADSI edit shows the following
Can anyone show me how the serachfilter and groupsearchfilter for what I want?
I only want the users that are members of the Dept* Grp’'s
and I only want to show the Groups that are under the IM Groups OU.
Thanks in advance for any help.
One important note: LDAP doesn’'t support filtering based on DN (ie. DN=CN=Some Group,OU=IM Groups,DC=MNO,DC=PQR,DC=COM). The only way to limit searches to that OU are to key off of some attribute inside the Group or to tell Wildfire to bind to that OU (with the baseDN directive).
What you can do is use sub-grouping. Create a global group called WildfireAccess. Make the groups you want to show up in Wildfire members of that new group. Do the same thing for the users you want to have access to Wildfire. Then adjust your filters to make sure that only users and groups that are members of the WildfireAccess group are selected.
For more details, see my replies to some really old posts that dealt with this issue:
Both of those posts were made back with the Jive forums had different markup tags to make things bold and such. Good luck.
Thank you hrothgar.
In looking at your first old thread link.
Wouldn’‘t I be able to create a WildFire Group and just add my Dept1 Grp, Dept2 Grp, etc… group as members of that group and do the same thing? As users are already members of Dept* Grp’'s they would then inherit the WildFire Group?
If I then had my search filter just look at WildFire Group for both Users and Groups it would get both. Correct?
That’‘s a good idea, but is that how it works? I’'m not at work right now to verify it.
I am actually testing this now in win2k3 AD
My search filters are setup to search only the “Wilefire IM Group”
“Widfire IM Group” is top level group with no actual user membership
“IT Group” is a member of the “Wildfire IM Group”
The users from “IT Group” can not login or authenticate to the Wildfire server.
If I add a user directly to the “Wildfire IM Group” they can login and authenticate.
Is there a way for Wildfire to find users that are part of Member Groups which are members of the Top Level Group?
Group nesting is an AD thing, not an LDAP thing, and isnt currently supported to my knowledge.
Thanks for the feedback, jaye. Your findings line up with my understanding of how the LDAP support works. Let me do a little explaining…
Wildfire uses the user search filter to get a list of users that should be given access. If user1 is a member of “IT Group” but not “Wildfire IM Group”, the LDAP user object will not have an attribute of “memberOf=CN=Wildfire IM Group” so the query will obviously fail. As wvankuyk noted, Wildfire doesn’‘t traverse nested group memberships, so this setup won’'t work.
Any Jive folks watching this discussion? How about adding a Feature Request for LDAP group membership traversal? This feature would make managing LDAP even easier than it already is.