I use the following query to find the groups each user is a member of:
(&(objectClass=group)(|(member=cn=UID,OU=ServiceAccounts,OU=MC,DC=ads,DC=myCompany,DC=com,DC=au)(member=cn=UID,OU=BTLY,OU=Sites,OU=MC,DC=ads,DC=myCompany,DC=com,DC=au)))
This query works and runs using the following Base DN:
OU=MC,DC=ads,DC=myCompany,DC=com,DC=au
I have few problems with the query:
I don't like having to use the OR operator to find Service Account users and BTLY users.
I don't want to hard-code the BTLY site, there are others, too.
Ideally, I'd just like to have the query as:
(&(objectClass=group)(|(member=cn=UID,OU=MC,DC=ads,DC=myCompany,DC=com,DC=au))
This way, I don't care whether the user account is a service account nor which site the account belongs to. Unfortunately, that query doesn't work.
Can someone please help me generalise the LDAP query? I'm a bit of a newbie, so I'm most likely missing something completely obvious!
Thanks!
Thanks for the reply. What you've said makes sense, but it doesn't help me, unfortunately. We're using GlassFish (a Java app server), and have configured it to point to the local AD server. Normally, a person can tell GlassFish how to retrieve users, eg
(&(objectCategory=user)(CN=UID))
and GlassFish will pick up all the groups (perhaps by using the memberOf attribute).
This time round we're using a different AD server which hosts a different directory of users. GlassFish isn't able to retrieve the groups by itself. So, there is a field where we can give GlassFish a custom query to find groups. In this field, I've put the query I've posted which works, but is ugly and verbose.
What I'd love to be able to do is:
(&(objectClass=group)(member=cn=UID))
but this doesn't work.
Is there anyway to do this?
Thanks,
Muel.
My guess is that using this technique is not possible. You would need to use wildcard here:
(&(objectCategory=group)(member=CN=UID,*))
and this is not acceptable for DN attributes (like the one stored in 'member' property):
http://msdn.microsoft.com/en-us/library/ms676930(v=vs.85).aspx
My suggestion here would be: use some tool to generate 'ugly' query for you (using syntax mentioned above) and "feed" your tool with end result. Can't see any option, sorry...
I just try to reformulate your question, but it's to much text for a comment.
You are trying to find all the groups the user CN=UID belongs to begining from the nod OU=MC,DC=ads,DC=myCompany,DC=com,DC=au.
This can be done by retreiving the memberOf attribute of the user itself. The only problem (perhaps not in your case) is that the primary group is not in this list of DN, it's coded appart using primaryGroupId attribute.
so
(&(objectCategory=user)(CN=UID))
Will do the job test :
ldifde -f t.ldf -D "OU=MC,DC=ads,DC=myCompany,DC=com,DC=au" -r "(&(objectCategory=user)(CN=UID))" -l memberof
Remark : samAccountName or userPrincipalName are attributes you can rely on for uniqueness of the entry in Active-Directory, that is not the case of CN (an admin can change it)
Related
Retrieve all the groups of a specific user in Active directory. May I use which one is the efficient filter?
Depending on the server version your AD environment is running on, it won't make a bit of difference.
Take a look at the documentation for objectClass, sAMAccountName and sAMAccountType. You will notice that one property it lists on those pages is "Is Indexed". That tells you if that attribute is indexed in each server version. sAMAccountName and sAMAccountType have always been indexed, and objectClass started being indexed in Windows Server 2008.
If you're trying to find a specific account, you only need the sAMAccountName in the query:
(sAMAccountName=userName)
That will perform very fast, since sAMAccountName is indexed. The only reason you might want to include sAMAccountType or objectClass is if you don't know the type of object it is, and you want to make sure you only get a user account.
You mention you want to retrieve all the groups for a user, so take a look at the article I wrote about that: Finding all of a user’s groups. The code examples are C#, but the principles apply to any language.
I need help for my AD Integration.
I’m using Spiceworks for the system and there is a portion there for AD Integration.
The problem is that I need to sync two different OU’s
Base DN for LDAP search:
DC=dc1,DC=dc2
LDAP user filter:
(&(objectCategory=person)(|(ou=OU1)(ou=OU2)))
And its not working.
My AD Structure is
dc1.dc2
— OU1
— OU2
— OU3
dc1.dc2 is the top level.
OU1, OU2, OU3 are on the same level.
The reason is I don’t want to include OU3 in the syncing
LDAP filters are generally only applicable to attributes that are in the user entries.
If you want to include attributes that are part of the DN (the path to entries), you need to use extensible filters such as:
(&(objectCategory=person)(|(ou:dn:=OU1)(ou:dn:=OU2)))
Note that while this is standard LDAP filters, not all servers support this.
Active Directory doesn't support filters based on OU. In this instance, it's an "extensible match filter" that some LDAP implementations support, but not all (including AD). More info here.
By the way, you can't do a wildcard search on the distinguishedName, if you're tempted to try.
To be honest, this is why it's best to have all your "person" user accounts in one OU (maybe subdivided further down), groups in another, etc. In your case, if you can, it might be a good idea to move your "synching" account OUs under a new OU. If you have a enterprise environment, you will want to be careful there are no dependencies on the OU structure before making such a change. Or that you can identify any such dependencies and fix them before or at the time of making the change.
Otherwise, you'll need to make your searchbase the root of the domain. If you have other user account attributes you can use to search, such as department names or similar, that will work. If it's employee accounts, do they all have a common field that's populated, such as "employeeID" or "streetAddress" or something? Or do the accounts you want to exclude have a specific name format (such as all the service accounts starting with "SVC")? By combining things like that, you can generally get it pretty good.
Finally, for searching normal user accounts, a more efficient basic query is:
(samAccountType=805306368)
Your query of (objectCategory=person) returns User and Contact objects. The usual way to scope it property is (&(objectClass=user)(objectCategory=person)), but the two clauses makes it less efficient than my recommendation (which is using an indexed attribute as well).
I am currently trying to find out AD users password expiry date.
Using the methods described on numerous pages for e.g. here work fine until a user or group in AD is using a fine grained password policy that does not follow the users domain password policy.
I found a property called msDS-UserPasswordExpiryTimeComputed that figures that all out without trying to do any calculations.
This works well, until we are using a global catalog since this property is not replicated by default. When I attempting to replicate the msDS-UserPasswordExpiryTimeComputed property in my global catalog, I get the following error:
Is there anyway to replicate this property or is something wrong with my setup that is not allowing me to replicate this property? Is there a better way to calculate user password expiry to take into account the fine grained password policy?
I suspect you can't. I can't find any authoritative documentation saying it is not possible, but here are the reasons I think it's not possible:
The attribute is constructed, meaning it's not stored, but it's calculated at the time you ask for it.
The date depends on the policy on the domain, thus the server returning the data needs to know the policy on the domain of the user.
Since a GC may not be on the domain of the user you find, it may not have the information needed to be able to calculate the value.
As a workaround, you can just rebind to a DC to get the value. You didn't say which language you're working with, but usually you can take the path of the object you found, which will start with "GC://", and just replace that with "LDAP://". Then grab the msDS-UserPasswordExpiryTimeComputed value.
I've been working on a Ruby on Rails application that uses devise and ldap against an AD-server. The server requires an authenticated user in order to list users. I have access to the AD GUI and can use ldapsearch to test queries against it. However, it took me hours to figure out the correct Distinguished Name string for the admin-user used to look up users and the string for the group base in where to look for users.
Example string for service "CN=service_app,OU=Services,OU=Accounts,DC=ad,DC=hello,DC=world,DC=com"
Example string for group base
"CN=Users,DC=ad,DC=hello,DC=world,DC=com"
My question is, is there a quick way to get/translate these strings from the GUI? For instance, I can see that the user "test.user" is in the folder structure ad.hello.world.com > Users, but I can not find the info in "string" format in the GUI. I also see others struggle with this so any tip would be very welcome.
Is there any way that we can programatically create a Documentum user by using Active Directory information? (I have very little knowledge on ADT and know that it stores user info thats all.)
In Documentum Administrator you can sync the ActiveDirectory Users by running the Job dm_LDAPSynchronization. This should do.
Hope this helps,
Max
edit: You can also create a User using DFC-Methods:
IDfUser newUser = (IDfUser) session.newObject("dm_user");
newUser.setUserName("New User");
newUser.setUserLoginName("newuser");
newUser.setString("user_source","inline password");
newUser.setString("user_password","new_password");
newUser.setDefaultFolder("/newuser",true);
newUser.save();
Instead of putting inline_password as the user_source, you probably can choose LDAP and remove the user_password. This most probably needs more information, but I don't have the DFC Documentation with me at the moment. I could look it up in the evening, but for now this should give you a good point to start.
You could also make a Server Method out of it and assign it to a custom Job.
BUT: I don't think that you can CREATE new LDAP-Users from Documentum...they need to be present in the ActiveDirectory when you import them into Documentum!
Cheers,
Max
You can configure LDAP through DA and set all the connection info, user id password and than configure the ldapsync job to do this ,whenever a new user is added into ldap,it will be imported into documentum by that job and deactivated if user is removed from ldap.
Thats the best way to avoid any programming .
The LDAP synchronization is quite limited and shortsighted. You can concatenate two LDAP attributes for a user like this : ${sn}_${givenname}#company.com. You can also substring, starting from left to a given number. Thats it. No more. I wonder why they bothered.
A proper solution would have been standarsing on a expression language - all from XQuery to RegEx. There are lots to choose from.