/build/static/layout/Breadcrumb_cap_w.png

Creating Complex Boolean LDAP Filters

I'm writing this post because I haven't seen this discussed in ITNinja and it's therapeutic for me to write about the trauma I just experienced getting this filter to execute correctly.

To say our AD is convoluted would be a mild understatement.  As such, it's very difficult to keep unwanted objects like service accounts out of our Kace user population.  Recently we added a new Kace Organization so our legal department could have a service desk.  Their user population is a small subset of the company, so I wanted to restrict which objects LDAP pulls in without forcing my service desk to manually maintain the user list.

The criteria included managers in two specific departments in two geographies, managers in a third department in one geography, all members of the legal department, and one individual who could not otherwise be filtered.

I used a series of nested Ors and Ands to make this work.

Here's how it works conceptually

If this is true (samaccountName={USERID of the individual}) 
or if this is true ( and both the following are true (samaccountname=KBOX_USER)(memberOf=CN=Dept_Legal,CN=Groups,OU=Legal,DC=our_co,DC=com)) {Anyone in the Legal Dept Security Group}
or If this is true ( and both the following are true (samaccountName=KBOX_USER)(memberOf=CN=Dept_Marketing,CN=Groups,OU=Marketing,DC=our_co,DC=com)
    (and any of the following is also true (description=*Manager*)(description=*VP*)(description=*Director*)))

Here's the actual syntax minus the specifics for our domain.

And = &
Or = |

(|(samaccountName={USERID})(&(samaccountname=KBOX_USER)(memberOf=CN=Dept_Legal,CN=Groups,OU=Legal,DC=our_co,DC=com))(&(samaccountName=KBOX_USER)(memberOf=CN=Dept_Marketing,CN=Groups,OU=Marketing,DC=our_co,DC=com)(|(description=*Manager*)(description=*VP*)(description=*Director*))))

The actual filter is a bit more complex than this, but this shows all the variations that I used.  

If you have line breaks in the code or haven't nested your parenthetical statements correctly, your filter will fail.  For this reason, I use an advanced text editor (Notepad++, in my case) to help me ensure that all my parentheses are matched up.

I also recommend using ADUC or Windows Directory Service tools like DSQuery OU and DSQuery Group to ensure that you are copying the DN's correctly.

=======================================================================

NOTE (Updated 2/21/2018):

I had to open a ticket with Quest.  While my filter pulled in all the users I need, they could not authenticate.  As stated above, my filter was more complex than what is shown here, so you might be able to get this to work with a simpler filter, but the short version is that Kace's implementation of LDAP will import the users but won't work for actually signing in (at least at my level of complexity).  I ended up creating a security group to pull in only the users I need, which is unfortunate because that solution is static; the solution above is dynamic.

Comments

This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ