Administration
LDAP settings

DN filters

4min

You can use DN filters to load information about nested groups and users who are members of those groups. At the same time, roles and login restrictions apply directly to the parent group, and not to nested objects.

Syntax

The expression after the logical operator must be in parentheses, for example:

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

In Microsoft products, you can often directly specify some of the logical operators. For example:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

A group search doesn't support wildcards. This is a technical limitation of most LDAP servers, so it is not possible to use a filter like (&(objectCategory=group)(objectClass=group)(memberOf=CN=My*,OU=MyOU,DC=domain,DC=my))

User filters

  • Default universal filter: (|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368)(&(objectCategory=person)(objectClass=user)))
  • Only enabled users: (&(|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368))(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  • All samaccountname users whose name starts with my (you can use another attribute containing a string) — (&(objectCategory=person)(objectClass=user)(samaccountname=my*))
  • All users who are members of a specified group: (&(objectCategory=person)(objectClass=user)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • All users who are members of a specified group, as well as all users who are members of nested groups: (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))


Group filters

  • Default filter: (|(objectclass=group)(objectclass=organizationalRole)(objectclass=posixGroup))
  • Groups in the description of which the word security is contained: (&(objectclass=group)(description=*security*))
  • Groups that are part of a specified group: (&(objectCategory=group)(objectClass=group)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • Groups that are part of a specified group, as well as all nested groups: (&(objectCategory=group)(objectClass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • Only security groups: (&(objectCategory=group)(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
  • Only distribution groups — (&(objectCategory=group)(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))



Updated 03 Sep 2024
Doc contributor
Did this page help you?
PREVIOUS
LDAPS setup
NEXT
SSO settings
Docs powered by Archbee