What is the character limit for ldap.searchfilter

Richard_Darlington · September 9, 2016, 2:25pm

I’ve added a group to my ldap.searchfilter property and I am no longer able to login to the openfire console.

It worked fine with 2 groups and one additional filter to limit disabled accounts… but when adding in another group it kills the ability to find the users during authentication.

Here is the one that worked:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556. 1.4.803:=2))(|(memberOf=CN=IM_M,OU=Groups,DC=SCSDU,DC=local)(memberOf=CN=IM_U,OU =Groups,DC=SCSDU,DC=local)))

Here is the one that did not work:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556. 1.4.803:=2))(|(memberOf=CN=IM_M,OU=Groups,DC=SCSDU,DC=local)(memberOf=CN=IM_SDU, OU=Groups,DC=SCSDU,DC=local)(memberOf=CN=IM_U,OU=Groups,DC=SCSDU,DC=local)))

I’ve tried using wildcards IM_* and IM_% to shorten the group section, but they don’t work.

I’d like to know the character limit for this field, and ask if anyone can adjust my filter to make it work better (shorter?)

Thanks

Rich

Richard_Darlington · September 9, 2016, 10:34pm

Update:

I found a link to definitive information from Microsoft that indicates the wildcard won’t work with that type of DN attribute… however there was listed a way to NEST groups! Yes!

Here is the url:

http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory -ldap-syntax-filters.aspx

All members of specified group, including
due to group nesting (Note 10)
(memberOf:1.2.840.113556.1.4.1941:=
cn=Test,ou=East,dc=Domain,dc=com)