LDAP: Set account type based on AD attribute

[Dan Munns]

Hi, 

I need to set accounts from basic to user based on AD Extension Attribute 1. The attribute is set to add an account to one of two groups to determine what services they have access to. 

I now need one of these groups to be made full accounts and not the other. Is this possible? 

Thanks,

Dan

[Conor]

Hi @Dan Munns

I would simply create two imports, one that only selects the users with the relevant value in attribute 1, and then another for everyone else. You can set up as many imports as you want to, and this method will keep it simple to set up and manage.

Using the filter in the ldap import, for the full users import add the filter ad attribute 1 = xyz, and then in the basic user import exclude the users where the ad attribute 1 = xyz. 

Then in each import script everyone that is selected will have the user value set, and everyone else will have the basic user value set.

That will do it!

[Dan Munns]

Thanks @Conor

I will have a look, I take it you are talking about the new in app LDAP import? 

Does the same thing apply to the old import tool? 

I did look for the types of filter I could use but could find anything.

[Conor]

Yes @Dan Munns

Both will have the filter field to set up the above so yes this applies to both old and new import scripts. You can filter on any value within LDAP, and the filter syntax is standard LDAP syntax, which is something like:

(&(objectClass=person)(objectClass=user)) - for AND

(|(objectClass=person)(objectClass=user)) - for OR

(&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville)))) - for NOT

[Dan Munns]

Cool, thanks @Conor