Jump to content

LDAP Imports


dwalby
 Share

Recommended Posts

Hi all,

I have a single LDAP import setup currently that pulls through AD account information into Hornbill, including Managers.

For a particular department I need to exclude the sync of the Manager field, from what I understand this will require 2 LDAP imports. Does anyone have any guidance on how to achieve this? Presumably I'll need to exclude the departmental OU not requiring the Manager field from the master LDAP import, then create another that filters on the OU of the department excluding the Manager field? Are there any dangers running 2 LDAP imports?

Thanks

Link to comment
Share on other sites

Hi @dwalby

No issue running multiple imports, the only thing you will need to think about there is if the second import overwrites anything from the first import, which it sounds like it won't. Even then as long as the final import sets the values you want in any particular field then thats the one you finish with.

Yes you will either need to exclude the departmental OU, or set the search root to only look at the department you want to import from without managers for the second import. 

In order to achieve this, I would simply copy the original import and change those bits (manager and filter/search root), which will keep it consistent.

It should be straight forward but let us know if you have any issues.

Thanks

Conor

Link to comment
Share on other sites

  • 2 weeks later...

@dwalby there are 2 ways, the easiest is probably with this kind of syntax in the filter:

(&(department=12*)(!(department=123*)))

where & is 'AND' and ! is 'NOT', so in the above example it will select all users in a department labelled in AD starting with 12, and none from department 123. This way you would filter out the department that does not require the managers to be imported for the first import, and do the opposite for the second.

The second way is to set up the new import script to only import from the relevant OU by specifying it in the DSN part of the import script. This will mean that the new import only looks at the OU you want to exclude the manager import from, and imports those users separately from the main import. So the first import may be looking at `DC=test,DC=hornbill,DC=com` (with a filter to exclude marketing, and this import does import managers), whereas the second import will be looking only at `OU=Marketing,DC=test,DC=hornbill,DC=com` and this import script does not import managers.

 Hope that helps.

Thanks

Conor

Link to comment
Share on other sites

@Conor - thanks, just to confirm the filter (&(department=12*)(!(department=123*))) can be applied to OUs?

14 minutes ago, Conor said:

@dwalby there are 2 ways, the easiest is probably with this kind of syntax in the filter:

(&(department=12*)(!(department=123*)))

where & is 'AND' and ! is 'NOT', so in the above example it will select all users in a department labelled in AD starting with 12, and none from department 123. This way you would filter out the department that does not require the managers to be imported for the first import, and do the opposite for the second.

The second way is to set up the new import script to only import from the relevant OU by specifying it in the DSN part of the import script. This will mean that the new import only looks at the OU you want to exclude the manager import from, and imports those users separately from the main import. So the first import may be looking at `DC=test,DC=hornbill,DC=com` (with a filter to exclude marketing, and this import does import managers), whereas the second import will be looking only at `OU=Marketing,DC=test,DC=hornbill,DC=com` and this import script does not import managers.

 Hope that helps.

Thanks

Conor

 

Link to comment
Share on other sites

@dwalby Yep it can indeed, the syntax is slightly different but will work in the same way. The syntax is like this in the filter:

(!(ou:dn:=marketing))

This is selecting everything except records where the distinguished name contains ou=marketing.

Link to comment
Share on other sites

Thanks again @Conor  - does the below look correct? I hoping this will include all sub-OUs of Domain Users but exclude department2?

        "Filter": "(objectClass=user)",
        "DSN": "(&(OU=Domain Users,OU=Controls,DC=company,DC=ad)(!(ou:dn:=department2))",
        "Debug":false

 

Link to comment
Share on other sites

@dwalby you will need this bit: "(&(OU=Domain Users,OU=Controls,DC=company,DC=ad)(!(ou:dn:=department2))", in the filter section rather than the DSN section.

If the original import was already pulling in the users you now want to exclude you can use the same search root, so whatever is in the DSN bit can remain for the second import and then you will filter out that OU using the filter.

So keep whatever was in the DSN value the same for the second import, and then in the filter field it will be something like this:

(&(objectClass=user)(!(ou:dn:=department2)))

and the DSN will looks something like this: OU=Domain Users,OU=Controls,DC=company,DC=ad

That will then  include all sub-OUs of Domain Users but exclude department2

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...