powered by Jive Software

LDAP Search Filters for Active Directory

Hi All,

Been searching the forums for a good hour of so looking at other peoples examples and what not trying to find a solution that fits my needs. Unfortunately I only got half of the setup working, I’'ll explain what I am after.

I have created a group called “Company Chat Users” Which is located in Active Directory:

CN=Company Chat Users,OU=Security,OU=Groups,OU=DN,DC=DN,DC=local

The users are scattered in different OU’'s under the “Users” OU which is usually organized by state:

OU=Users,OU=DN,DC=DN,DC=local

Using the following I can lock the authentication down to just the “Company Chat Users” group:

I cannot however get the search filter to show all users in this group using a combination of searchFilter and groupSearchFilter.

Hoping someone here might have more experience with LDAP queries and Wildfire usage that is able to help me out, thanks.

Regards,

Jason

I guess my first question is: what you want to do with the groupSearchFilter? I assume your baseDN is OU=DN,DC=DN,DC=local, right?

I would recommend a searchFilter similar to this:

(&(objectCategory=Person)(memberOf=CN=Company Chat Users,OU=Security,OU=Groups,OU=DN,DC=DN,DC=local)(sAMAccountName={0}))

Unless you want to break your users up into Jabber groups, there’'s no need to mess with LDAP groups in Wildfire. I need more details on what you are trying to do with the group filtering to help any further.

Hi hrothgar,

My groupSearchFilter I tried a few times with just the basic “any group” it is currently set to:

I am curious as to your searchFilter containing “sAMAccountName=” of which I read in numerous posts should not be used in 3.1?

There is only one Jabber group, thanks for the help.

Try changing your “Member Field” to member instead of members.

Hi papwu,

If you are talking about the groupMemberField then it’'s currently set to:

Regards,

Jason

Well I resolved my problem today when I decided to install the new Wildfire version.

I had created a user called “Jabber” for authentication in AD and it was only a member of “Denied Users” which was denied access to all our corporate data and was removed from the “Domain Users” group, I thought it was working because it was authenticating and also returning my username. However it was only returning my username it was weird.

I found when entering the domain administrator details it worked 100% I delegated read access over our OU to the user and left them out of the “Domain Users” group and changed the search filters and now it’'s working 100%.

Authentication and search results return users only in the group.

I have created a group called “Company Chat Users” Which is located in Active Directory:

CN=Company Chat Users,OU=Security,OU=Groups,OU=DN,DC=DN,DC=local

The users are scattered in different OU’'s under the “Users” OU which is usually organized by state:

OU=Users,OU=DN,DC=DN,DC=local

Using the following I can lock the authentication down to just the “Company Chat Users” group:

For anyone who might be interested…

Change your search filter for performance

Your search filter is this.

(&(objectCategory=Group)(objectClass=Group))

better would be this.

(&(sAMAccountType=805306368)(!(objectClass=inetOrgPerson)))

sAMAccountType is an index attribute in AD. It should return things which represent a Person object extended with Principal attributes (password, etc). You can optionallly exclude inetOrgPerson classes. This would leave you with Users in a default AD installation.