LDAP root query syntax to search more than one specific OU

Question

I need to run a single LDAP query that will search through two specific organization units  OU  in the root query however I m having a tough go of it  I ve tried the following queries below and neither were successful      OU Staff DC my DC super DC org  OU Vendors DC my DC super DC org      OU Staff DC my DC super DC org     OU Vendors DC my DC super DC org     My question is  is it possible to query more than one single OU in a single query  Assuming that it is what the proper syntax for this type of expression in the root LDAP query

User · Answer

I don t think this is possible with AD  The distinguishedName attribute is the only thing I know of that contains the OU piece on which you re trying to search  so you d need a wildcard to get results for objects under those OUs  Unfortunately  the wildcard character isn t supported on DNs   If at all possible  I d really look at doing this in 2 queries using OU Staff    and OU Vendors    as the base DNs

User · Answer

You can    In short use this as the connection string   ldap    lt host gt  3268 DC  lt my gt  DC  lt domain gt  cn   together with your search filter  e g     amp  sAMAccountName  0    amp   objectCategory person  objectclass user  mail      userAccountControl 1 2 840 113556 1 4 803  2   memberOf 1 2 840 113556 1 4 1941  CN  lt some-special-nested-group gt  OU  lt ou3 gt  OU  lt ou2 gt  OU  lt ou1 gt  DC  lt dc3 gt  DC  lt dc2 gt  DC  lt dc1 gt        That will search in the so called Global Catalog  that had been available out-of-the-box in our environment   Instead of the known common other versions  or combinations thereof  that did NOT work in our environment with multiple OUs   ldap    lt host gt  DC  lt my gt  DC  lt domain gt  ldap    lt host gt  389 DC  lt my gt  DC  lt domain gt    standard port  ldap    lt host gt  OU  lt someOU gt  DC  lt my gt  DC  lt domain gt  ldap    lt host gt  CN  lt someCN gt  DC  lt my gt  DC  lt domain gt  ldap    lt host gt     OU  lt someOU1 gt   OU  lt someOU2 gt    DC  lt my gt  DC  lt domain gt   search filters here shouldn t work at all by definition     I am a developer  not an AD LDAP guru   Damn I had been searching for this solution everywhere for almost 2 days and almost gave up  getting used to the thought I might have to implement this obviously very common scenario by hand  with Jasperserver Spring security  Tomcat     So this shall be a reminder if somebody else or me should have this problem again in the future  O     Here some other related threads I found during my research that had been mostly of little help    the solution hidden in a comment of LarreDo from 2006 some Microsoft answered question of best practices how to design your organization in the directory  stating using multiple top-level OUs in bigger companies is not unusual or even suitable Tim Wong  2011  added that this may be a problem of unresolvable DNS names in the ForestDNSZones  part of the AD top-level domain used  example code for implementing it by hand when using Spring security  e g  also used in Jasper  John Morrissey  2012  suggested it could be related to some security settings and it may work if you use TLS  I guess if the LDAP server wants to restrict such global searches for non-secure connections - which would not seem a good  its kind of half-baked  security approach to me  awatkins  2012  used some hacking approach in some mod ldap c code  of whatever software    And here I will provide our anonymized Tomcat LDAP config in case it may be helpful   var lib tomcat7 webapps jasperserver WEB-INF applicationContext-externalAUTH-LDAP xml     lt beans xmlns  http   www springframework org schema beans  xmlns xsi  http   www w3 org 2001 XMLSchema-instance  xsi schemaLocation  http   www springframework org schema beans http   www springframework org schema beans spring-beans-3 1 xsd  gt    lt  --              LDAP authentication              - Sample configuration      of external authentication via an external LDAP server  -- gt     lt bean id  proxyAuthenticationProcessingFilter      class  com jaspersoft jasperserver api security externalAuth BaseAuthenticationProcessingFilter  gt       lt property name  authenticationManager  gt           lt ref local  ldapAuthenticationManager    gt       lt  property gt       lt property name  externalDataSynchronizer  gt           lt ref local  externalDataSynchronizer    gt       lt  property gt        lt property name  sessionRegistry  gt           lt ref bean  sessionRegistry    gt       lt  property gt        lt property name  internalAuthenticationFailureUrl  value   login html error 1    gt       lt property name  defaultTargetUrl  value   loginsuccess html    gt       lt property name  invalidateSessionOnSuccessfulAuthentication          value  true    gt       lt property name  migrateInvalidatedSessionAttributes  value  true    gt   lt  bean gt    lt bean id  proxyAuthenticationSoapProcessingFilter      class  com jaspersoft jasperserver api security externalAuth DefaultAuthenticationSoapProcessingFilter  gt       lt property name  authenticationManager  ref  ldapAuthenticationManager    gt       lt property name  externalDataSynchronizer  ref  externalDataSynchronizer    gt        lt property name  invalidateSessionOnSuccessfulAuthentication          value  true    gt       lt property name  migrateInvalidatedSessionAttributes  value  true    gt       lt property name  filterProcessesUrl  value   services    gt   lt  bean gt    lt bean id  proxyRequestParameterAuthenticationFilter      class  com jaspersoft jasperserver war util ExternalRequestParameterAuthenticationFilter  gt       lt property name  authenticationManager  gt           lt ref local  ldapAuthenticationManager    gt       lt  property gt       lt property name  externalDataSynchronizer  ref  externalDataSynchronizer    gt        lt property name  authenticationFailureUrl  gt           lt value gt  login html error 1 lt  value gt       lt  property gt       lt property name  excludeUrls  gt           lt list gt               lt value gt  j spring switch user lt  value gt           lt  list gt       lt  property gt   lt  bean gt    lt bean id  proxyBasicProcessingFilter      class  com jaspersoft jasperserver api security externalAuth ExternalAuthBasicProcessingFilter  gt       lt property name  authenticationManager  ref  ldapAuthenticationManager    gt       lt property name  externalDataSynchronizer  ref  externalDataSynchronizer    gt        lt property name  authenticationEntryPoint  gt           lt ref local  basicProcessingFilterEntryPoint    gt       lt  property gt   lt  bean gt    lt bean id  proxyAuthenticationRestProcessingFilter      class  com jaspersoft jasperserver api security externalAuth DefaultAuthenticationRestProcessingFilter  gt       lt property name  authenticationManager  gt           lt ref local  ldapAuthenticationManager    gt       lt  property gt       lt property name  externalDataSynchronizer  gt           lt ref local  externalDataSynchronizer    gt       lt  property gt        lt property name  filterProcessesUrl  value   rest login    gt       lt property name  invalidateSessionOnSuccessfulAuthentication          value  true    gt       lt property name  migrateInvalidatedSessionAttributes  value  true    gt   lt  bean gt      lt bean id  ldapAuthenticationManager  class  org springframework security providers ProviderManager  gt       lt property name  providers  gt           lt list gt               lt ref local  ldapAuthenticationProvider    gt               lt ref bean    bean daoAuthenticationProvider     gt               lt  --anonymousAuthenticationProvider only needed if filterInvocationInterceptor alwaysReauthenticate                  is set to true  lt ref bean  anonymousAuthenticationProvider   gt  -- gt           lt  list gt       lt  property gt   lt  bean gt    lt bean id  ldapAuthenticationProvider      class  org springframework security providers ldap LdapAuthenticationProvider  gt       lt constructor-arg gt           lt bean             class  org springframework security providers ldap authenticator BindAuthenticator  gt               lt constructor-arg gt                   lt ref local  ldapContextSource    gt               lt  constructor-arg gt               lt property name  userSearch  ref  userSearch    gt           lt  bean gt       lt  constructor-arg gt       lt constructor-arg gt           lt bean             class  org springframework security ldap populator DefaultLdapAuthoritiesPopulator  gt               lt constructor-arg index  0  gt                   lt ref local  ldapContextSource    gt               lt  constructor-arg gt               lt constructor-arg index  1  gt                   lt value gt  lt  value gt               lt  constructor-arg gt                lt property name  groupRoleAttribute  value  cn    gt               lt property name  convertToUpperCase  value  true    gt               lt property name  rolePrefix  value  ROLE     gt               lt property name  groupSearchFilter                  value    amp amp  member  0    amp amp  objectCategory Group  objectclass group  cn my-nested-group-name       gt               lt property name  searchSubtree  value  true    gt               lt  -- Can setup additional external default roles here  lt property name  defaultRole                   value  LDAP   gt  -- gt           lt  bean gt       lt  constructor-arg gt   lt  bean gt    lt bean id  userSearch      class  org springframework security ldap search FilterBasedLdapUserSearch  gt       lt constructor-arg index  0  gt           lt value gt  lt  value gt       lt  constructor-arg gt       lt constructor-arg index  1  gt           lt value gt   amp amp  sAMAccountName  0    amp amp   objectCategory person  objectclass user  mail      userAccountControl 1 2 840 113556 1 4 803  2   memberOf 1 2 840 113556 1 4 1941  CN my-nested-group-name OU ou3 OU ou2 OU ou1 DC dc3 DC dc2 DC dc1              lt  value gt       lt  constructor-arg gt       lt constructor-arg index  2  gt           lt ref local  ldapContextSource    gt       lt  constructor-arg gt       lt property name  searchSubtree  gt           lt value gt true lt  value gt       lt  property gt   lt  bean gt    lt bean id  ldapContextSource      class  com jaspersoft jasperserver api security externalAuth ldap JSLdapContextSource  gt       lt constructor-arg value  ldap   myhost 3268 DC dc3 DC dc2 DC dc1 cn    gt       lt  -- manager user name and password  may not be needed  -- gt       lt property name  userDn  value  CN someuser OU ou4 OU 1 DC dc3 DC dc2 DC dc1    gt       lt property name  password  value  somepass    gt       lt  --End Changes -- gt   lt  bean gt   lt  --              LDAP authentication              -- gt    lt  --              JRS Synchronizer              -- gt   lt bean id  externalDataSynchronizer      class  com jaspersoft jasperserver api security externalAuth ExternalDataSynchronizerImpl  gt       lt property name  externalUserProcessors  gt           lt list gt               lt ref local  externalUserSetupProcessor    gt               lt  -- Example processor for creating user folder -- gt               lt  -- lt ref local  externalUserFolderProcessor   gt  -- gt           lt  list gt       lt  property gt   lt  bean gt    lt bean id  abstractExternalProcessor      class  com jaspersoft jasperserver api security externalAuth processors AbstractExternalUserProcessor      abstract  true  gt       lt property name  repositoryService  ref    bean repositoryService     gt       lt property name  userAuthorityService  ref    bean userAuthorityService     gt       lt property name  tenantService  ref    bean tenantService     gt       lt property name  profileAttributeService  ref  profileAttributeService    gt       lt property name  objectPermissionService  ref  objectPermissionService    gt   lt  bean gt    lt bean id  externalUserSetupProcessor      class  com jaspersoft jasperserver api security externalAuth processors ExternalUserSetupProcessor      parent  abstractExternalProcessor  gt       lt property name  userAuthorityService  gt           lt ref bean    bean internalUserAuthorityService     gt       lt  property gt       lt property name  defaultInternalRoles  gt           lt list gt               lt value gt ROLE USER lt  value gt           lt  list gt       lt  property gt        lt property name  organizationRoleMap  gt           lt map gt               lt  -- Example of mapping customer roles to JRS roles -- gt               lt entry gt                   lt key gt                       lt value gt ROLE MY-NESTED-GROUP-NAME lt  value gt                   lt  key gt                   lt  -- JRS role that the  lt key gt  external role is mapped to -- gt                   lt value gt ROLE USER lt  value gt               lt  entry gt           lt  map gt       lt  property gt   lt  bean gt    lt  --bean id  externalUserFolderProcessor  class  com jaspersoft jasperserver api security externalAuth processors ExternalUserFolderProcessor       parent  abstractExternalProcessor  gt   lt property name  repositoryService  ref    bean unsecureRepositoryService    gt        lt  bean -- gt    lt  --              JRS Synchronizer              -- gt

User · Answer

After speaking with an LDAP expert  it s not possible this way  One query can t search more than one DC or OU    Your options are         Run more then 1 query and parse the result    Use a filter to find the desired users objects based off a different attribute like an AD group or by name

User · Answer

The answer is NO you can t  Why   Because the LDAP standard describes a LDAP-SEARCH as kind of function with 4 parameters    The node where the search should begin  which is a Distinguish Name  DN  The attributes you want to be brought back The depth of the search  base  one-level  subtree  The filter   You are interested in the filter  You ve got a summary here  it s provided by Microsoft for Active Directory  it s from a standard   The filter is composed  in a boolean way  by expression of the type Attribute Operator Value   So the filter you give does not mean anything   On the theoretical point of view there is ExtensibleMatch that allows buildind filters on the DN path  but it s not supported by Active Directory   As far as I know  you have to use an attribute in AD to make the distinction for users in the two OUs    It can be any existing discriminator attribute  or  for example the attribute called OU which is inherited from organizationalPerson class  you can set it  it s not automatic  and will not be maintained if you move the users  with  staff  for some users and  vendors  for others and them use the filter     amp  objectCategory person    ou staff  ou vendors

User · Answer

It s simple  Just change the port  Use 3268 instead of 389  If your domain name DOMAIN LOCAL  in search put DC DOMAIN DC LOCAL  Port 3268  This port is used for queries that are specifically targeted for the global catalog   LDAP requests sent to port 3268 can be used to search objects in the entire forest   However  only the attributes marked for replication to the global catalog can be returned   Port 389  This port is used for requesting information from the Domain Controller   LDAP requests sent to port 389 can be used to search objects only within the global catalog   s home domain   However  the application can possible to obtain all of the attributes searched objects

[active-directory] LDAP root query syntax to search more than one specific OU

Examples related to active-directory

Examples related to ldap

Examples related to ou