SyntaxFix

[active-directory] LDAP root query syntax to search more than one specific OU

I need to run a single LDAP query that will search through two specific organization units (OU) in the root query however I'm having a tough go of it. I've tried the following queries below and neither were successful:

(|(OU=Staff,DC=my,DC=super,DC=org)(OU=Vendors,DC=my,DC=super,DC=org))

((OU=Staff,DC=my,DC=super,DC=org) | (OU=Vendors,DC=my,DC=super,DC=org))

My question is; is it possible to query more than one single OU in a single query? Assuming that it is what the proper syntax for this type of expression in the root LDAP query.

This question is related to active-directory ldap ou

The answer is

It's simple. Just change the port. Use 3268 instead of 389. If your domain name DOMAIN.LOCAL, in search put DC=DOMAIN,DC=LOCAL

Port 3268: This port is used for queries that are specifically targeted for the global catalog. LDAP requests sent to port 3268 can be used to search objects in the entire forest. However, only the attributes marked for replication to the global catalog can be returned.

Port 389: This port is used for requesting information from the Domain Controller. LDAP requests sent to port 389 can be used to search objects only within the global catalog’s home domain. However, the application can possible to obtain all of the attributes searched objects.

I don't think this is possible with AD. The distinguishedName attribute is the only thing I know of that contains the OU piece on which you're trying to search, so you'd need a wildcard to get results for objects under those OUs. Unfortunately, the wildcard character isn't supported on DNs.

If at all possible, I'd really look at doing this in 2 queries using OU=Staff... and OU=Vendors... as the base DNs.

After speaking with an LDAP expert, it's not possible this way. One query can't search more than one DC or OU.

Your options are:

  1. Run more then 1 query and parse the result.
  2. Use a filter to find the desired users/objects based off a different attribute like an AD group or by name.

The answer is NO you can't. Why?

Because the LDAP standard describes a LDAP-SEARCH as kind of function with 4 parameters:

  1. The node where the search should begin, which is a Distinguish Name (DN)
  2. The attributes you want to be brought back
  3. The depth of the search (base, one-level, subtree)
  4. The filter

You are interested in the filter. You've got a summary here (it's provided by Microsoft for Active Directory, it's from a standard). The filter is composed, in a boolean way, by expression of the type Attribute Operator Value.

So the filter you give does not mean anything.

On the theoretical point of view there is ExtensibleMatch that allows buildind filters on the DN path, but it's not supported by Active Directory.

As far as I know, you have to use an attribute in AD to make the distinction for users in the two OUs.

It can be any existing discriminator attribute, or, for example the attribute called OU which is inherited from organizationalPerson class. you can set it (it's not automatic, and will not be maintained if you move the users) with "staff" for some users and "vendors" for others and them use the filter:

(&(objectCategory=person)(|(ou=staff)(ou=vendors)))

Source: Stackoverflow.com

Examples related to active-directory

Powershell: A positional parameter cannot be found that accepts argument "xxx" How to switch to another domain and get-aduser How can I verify if an AD account is locked? Powershell script to see currently logged in users (domain and machine) + status (active, idle, away) Querying Windows Active Directory server using ldapsearch from command line How to list AD group membership for AD users using input list? Import-Module : The specified module 'activedirectory' was not loaded because no valid module file was found in any module directory What are CN, OU, DC in an LDAP search? PowerShell script to return members of multiple security groups How do I get specific properties with Get-AdUser

Examples related to ldap

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 Querying Windows Active Directory server using ldapsearch from command line What are CN, OU, DC in an LDAP search? LDAP server which is my base dn Easy way to test an LDAP User's Credentials LDAP filter for blank (empty) attribute LDAP Authentication using Java How to create and add users to a group in Jenkins for authentication? Query to list all users of a certain group using wildcards in LDAP search filters/queries

Examples related to ou

LDAP root query syntax to search more than one specific OU

Tags

Adobe-stratus Spring-integration Jvmti Backupexec Collaboration-diagram Zipfile Mongodb-php Eaccelerator Gallio Distributed-programming Sessiontracking Scintilla Jgroups Visual-diff Deployment-project Audio Waitone Ektron Watch-window Hostmonster Javadb Liquibase Ora-00911 Maturity Enterprise-library-4.1 Datatrigger Beyondcompare3 Creole Fftw Ear Toggleclass Custom-lists Robohelp Pearson Eventlog-source Python-2.6 Childactivity Parameter-passing Graph-visualization Named-scope Kdb Amsmath Finite-element-analysis Accessor Window.onunload Jquery-color Generator-expression Decibel Txmldocument Subdirectory App-store Object-role-modeling Parameterized Windows-desktop-gadgets Subscript Xsp2 Session-cookies Bson Eclipse-jdt Variable-types Struct.pack Ident Double-precision Tagging Gridviewrow Py-amqplib Nstoolbar Dereference Console Full-trust Temporal-difference Virtualbox Base-address Bindable Rosetta-code Ci-server Jcifs Piping Redundancy Iequalitycomparer Mpmediaitem Soundplayer Delayed-execution Pg Devexpress Crystal-reports-server Rdtsc Google-finance Sqlcompare Databound-controls Trim Bzr-svn Navigateuri Sessionstate-timeout Lookbehind Atoi Timage Mixed-mode Xpsdocument Http-head