LDAP Import Tool - Filter Syntax

[Martyn Houghton]

Is there any documentation of the LDAP Import tool 'Filter' configuration syntax or details from the component us are using to access the LDAP directory?

I have had some joy in using the syntax from Microsoft Active Directory documentation

https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

But are having a issue with some of the operation such as excluding certain OU containers when using the Scope=2 setting to recursively scan the sub tree.

At the moment I can get the following to work to scan the sub tree and exclude all disabled accounts:-

"Scope": 2,

"DerefAliases": 1,

"SizeLimit": 0,

"TimeLimit": 0,

"TypesOnly": false,

"Filter": "(&(objectCategory=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",

But if I add the extra criteria of (!(ou=HR)) the import still accepts the filter as valid but does not filter out the users contained with the HR ou.

Cheers

Martyn

[Steve Giller]

Found this:

Suppose you want to pull all users of ObjectType = Person from the R&D and HR ous, but not any users from Marketing and PM. The filter would be:

(&(objectClass=person)(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))

The filter above is called an extensible match search because it specifies an attribute name: ou and the DN’s attributes should be considered as part of the entry.

If ou:= rather than ou:dn:= had been used, no results would have been returned, because the ResearchAndDevelopment entry does not match the objectClass=person criteria and jbond (which does have an objectClass=person ) does not match the ou=ResearchAndDevelopment criteria EXCEPT for the fact that it does have ou=ResearchAndDevelopment as part of that entry's Distinguished Name (dn). Therefore ou:dn:=ResearchAndDevelopment DOES return jbond as one of the users in the search result.

So try

"Filter": "(&(objectCategory=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(ou:dn:=HR)))"

and see if that works.

[Martyn Houghton]

Steve

Unfortunately that did not work either. It seems you can filter by an objects attributes but not its context in the import tool at the moment.

Cheers

Martyn

[Steve Giller]

Are the Pre- and Post-Import SQL options still available in the Collaboration Platform?

If so you could import the distinguishedName attribute and delete records in the HR OU after the import.

As I'm typing I'm just thinking: Is the comparison limited to two objects?

In which case would the (rather convoluted) version of

"Filter": "(&(&(objectCategory=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(!(ou:dn:=HR)))"

work?

[edit]I've just googled and it would appear not - but might be worth a try, stranger things have happened![/edit]

[James Ainsworth]

Hi Martyn,

I wasn't sure if you managed to get this working, however for others reading this post I thought I'd include a link to our LDAP User Import Tool Documentation.