dwalby Posted September 19, 2018 Posted September 19, 2018 Hi all, I have a single LDAP import setup currently that pulls through AD account information into Hornbill, including Managers. For a particular department I need to exclude the sync of the Manager field, from what I understand this will require 2 LDAP imports. Does anyone have any guidance on how to achieve this? Presumably I'll need to exclude the departmental OU not requiring the Manager field from the master LDAP import, then create another that filters on the OU of the department excluding the Manager field? Are there any dangers running 2 LDAP imports? Thanks
Conor Posted September 19, 2018 Posted September 19, 2018 Hi @dwalby No issue running multiple imports, the only thing you will need to think about there is if the second import overwrites anything from the first import, which it sounds like it won't. Even then as long as the final import sets the values you want in any particular field then thats the one you finish with. Yes you will either need to exclude the departmental OU, or set the search root to only look at the department you want to import from without managers for the second import. In order to achieve this, I would simply copy the original import and change those bits (manager and filter/search root), which will keep it consistent. It should be straight forward but let us know if you have any issues. Thanks Conor
dwalby Posted October 4, 2018 Author Posted October 4, 2018 @Conor thanks and sorry for the late reply. I've done some searching but can't see how to exclude the OU from my main LDAP script, are you able to provide any suggestions please?
Conor Posted October 4, 2018 Posted October 4, 2018 @dwalby there are 2 ways, the easiest is probably with this kind of syntax in the filter: (&(department=12*)(!(department=123*))) where & is 'AND' and ! is 'NOT', so in the above example it will select all users in a department labelled in AD starting with 12, and none from department 123. This way you would filter out the department that does not require the managers to be imported for the first import, and do the opposite for the second. The second way is to set up the new import script to only import from the relevant OU by specifying it in the DSN part of the import script. This will mean that the new import only looks at the OU you want to exclude the manager import from, and imports those users separately from the main import. So the first import may be looking at `DC=test,DC=hornbill,DC=com` (with a filter to exclude marketing, and this import does import managers), whereas the second import will be looking only at `OU=Marketing,DC=test,DC=hornbill,DC=com` and this import script does not import managers. Hope that helps. Thanks Conor
dwalby Posted October 4, 2018 Author Posted October 4, 2018 @Conor - thanks, just to confirm the filter (&(department=12*)(!(department=123*))) can be applied to OUs? 14 minutes ago, Conor said: @dwalby there are 2 ways, the easiest is probably with this kind of syntax in the filter: (&(department=12*)(!(department=123*))) where & is 'AND' and ! is 'NOT', so in the above example it will select all users in a department labelled in AD starting with 12, and none from department 123. This way you would filter out the department that does not require the managers to be imported for the first import, and do the opposite for the second. The second way is to set up the new import script to only import from the relevant OU by specifying it in the DSN part of the import script. This will mean that the new import only looks at the OU you want to exclude the manager import from, and imports those users separately from the main import. So the first import may be looking at `DC=test,DC=hornbill,DC=com` (with a filter to exclude marketing, and this import does import managers), whereas the second import will be looking only at `OU=Marketing,DC=test,DC=hornbill,DC=com` and this import script does not import managers. Hope that helps. Thanks Conor
Conor Posted October 4, 2018 Posted October 4, 2018 @dwalby Yep it can indeed, the syntax is slightly different but will work in the same way. The syntax is like this in the filter: (!(ou:dn:=marketing)) This is selecting everything except records where the distinguished name contains ou=marketing.
dwalby Posted October 4, 2018 Author Posted October 4, 2018 Thanks again @Conor - does the below look correct? I hoping this will include all sub-OUs of Domain Users but exclude department2? "Filter": "(objectClass=user)", "DSN": "(&(OU=Domain Users,OU=Controls,DC=company,DC=ad)(!(ou:dn:=department2))", "Debug":false
Conor Posted October 4, 2018 Posted October 4, 2018 @dwalby you will need this bit: "(&(OU=Domain Users,OU=Controls,DC=company,DC=ad)(!(ou:dn:=department2))", in the filter section rather than the DSN section. If the original import was already pulling in the users you now want to exclude you can use the same search root, so whatever is in the DSN bit can remain for the second import and then you will filter out that OU using the filter. So keep whatever was in the DSN value the same for the second import, and then in the filter field it will be something like this: (&(objectClass=user)(!(ou:dn:=department2))) and the DSN will looks something like this: OU=Domain Users,OU=Controls,DC=company,DC=ad That will then include all sub-OUs of Domain Users but exclude department2 1
dwalby Posted October 4, 2018 Author Posted October 4, 2018 @Conor thanks again, sorry to keep asking questions! I've had some further thoughts on this and now I want to set all users of the department2 OU to a particular manager - do I enter their full name or username?
Conor Posted October 4, 2018 Posted October 4, 2018 @dwalby no worries - you will need the managers username here
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now