Announcement

Collapse
No announcement yet.

LDAP query

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP query

    I have a Printer that can interogate AD using LDAP but I'm looking for the criteria to only show the member list of the group Domain Users, is this possible?

    I'm using this at present but the result is pretty much every object created

    CN=Domain Users,CN=Users,DC=<myDomain>,DC=local

    Thanks

  • #2
    Re: LDAP query

    It appears to be possible.
    http://connect.nintex.com/forums/thread/4022.aspx gives examples which should be adaptable to your environment
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: LDAP query

      That's what I thought but this context does not work.

      memberOf=cn=Domain Users,cn=Users,dc=mydomain,dc=local

      Comment


      • #4
        Re: LDAP query

        Can you pick up a custom group?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: LDAP query

          No, I'm using Softerra's LDAP administrator to test the function. I would think that any LDAP tool queries in the same way

          Comment


          • #6
            Re: LDAP query

            Sorry, what I was trying to establish was if a built in group (Domain Users) is different to a custom (user defined) group
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: LDAP query

              Sorry fella, I should have said I've tried a built in and custom created group but with no joy

              Comment


              • #8
                Re: LDAP query

                Originally posted by marcopolo View Post
                That's what I thought but this context does not work.

                memberOf=cn=Domain Users,cn=Users,dc=mydomain,dc=local
                The search string is correct - it will search for all objects who have joined the group 'Domain Users' but... only if it is NOT set as the primary group (!)

                By default 'domain users' is set as the primary group of a user, that could explain why your search didn't find objects.
                To find objects where the Primary group is set Domain Users use:
                (primaryGroupID=513)

                You can combine the two strings,
                furthermore - to query only User objects and exclude disabled accounts:
                Code:
                (&((objectCategory=person)(ObjectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf=cn=Domain Users,cn=Users,dc=mydomain,dc=local)(primaryGroupID=513))))
                \Rems
                Last edited by Rems; 2nd October 2010, 02:39.

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: LDAP query

                  Originally posted by Rems View Post
                  You can combine the two strings,
                  furthermore - to query only User objects and exclude disabled accounts:
                  Code:
                  (&((objectCategory=person)(ObjectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf=cn=Domain Users,cn=Users,dc=mydomain,dc=local)(primaryGroupID=513))))
                  \Rems
                  A very minor point (and I agree with the rest of your post, the primary group issue is almost certainly why the OP is not getting the expected results) but a slightly more efficient query would be to use the sAMAccountType attribute rather than the ObjectCategory and ObjectClass attributes, as ObjectClass is not indexed and sAMAccountType is

                  As the sAMAccountType value for users is 805306368, the modified query would look like this:

                  Code:
                  (&((sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf=cn=Domain Users,cn=Users,dc=mydomain,dc=local)(primaryGroupID=513))))
                  Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

                  My blog: http://cjwdev.wordpress.com

                  Comment


                  • #10
                    Re: LDAP query

                    Unfortunately the field on the printers cannot cater for either below, too many characters.

                    Comment


                    • #11
                      Re: LDAP query

                      Ah well you could miss out the bit that filters out disabled accounts and make it just something like this:

                      Code:
                      (&(sAMAccountType=805306368))(|(memberOf=cn=Domain Users,cn=Users,dc=mydomain,dc=local)(primaryGroupID=513))))
                      or if that is still too long and you are sure that all of your users have Domain Users as their primary group (which they will unless you've changed it) then you can just do this:
                      Code:
                      (&(sAMAccountType=805306368)(primaryGroupID=513))
                      Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

                      My blog: http://cjwdev.wordpress.com

                      Comment


                      • #12
                        Re: LDAP query

                        Well this one doesn't work so is it that the Printer is not parsing the query correctly?

                        (&(sAMAccountType=80530636(primaryGroupID=513))

                        Comment


                        • #13
                          Re: LDAP query

                          Well yeah it must be the printer, because that query works perfectly fine when I enter it into a custom query in AD U & C

                          Unless of course all of your users do not have the domain users group as their primary group.
                          Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

                          My blog: http://cjwdev.wordpress.com

                          Comment


                          • #14
                            Re: LDAP query

                            Originally posted by marcopolo View Post
                            I'm using this at present but the result is pretty much every object created
                            CN=Domain Users,CN=Users,DC=<myDomain>,DC=local
                            Note that the DN above is not a SEARCH LDAP string! If you say this is returning almost every object (-types) then mostlikely it is the "base" field or 'BROWSE LDAP' (and is igoring the canonical name?). This might possibly not be the correct field to enter the SEARCH LDAP string. What is the name of this field?

                            btw - Are all your users created in the Users container and not in OU's?? It is recomended to create an OU structure for the ojects you add in AD.


                            Is LDAP used only for the scan-to-maibox feature? What is the printer's brand and model?

                            generaly,
                            Make sure the account used for the query is a user account added in Active Directory that has a valid and not expiring password. And check if the account is not locked-out currently and not is disabled. Make sure the password was entered correctly in the device.

                            Follow the documentation of the print device,
                            - Where and How exactly to configure the LDAP string (sometimes an application can require additional typical parameters).
                            - if a search 'base' and 'scope' still is needed to be configuered if you you use a LDAP search.
                            - Sometimes the DN of an useraccount is required instead of the upn or account name.
                            - The LDAP possibily could be limited. Or has requirements for the string.
                            - If there are more than one printing controller build-in (i.e. an additional fiery controller) set up LDAP on the correct unit.

                            On the device set the correct date+time, time zone and DST. Configure tcp/ip settings, the dns server, default gateway, the domain, ect. Enable LDAP function, configure the bind method. The LDAP server and Port what should be used.
                            (Check if you should use the distinguished name or fqdn or samaccountname of a server)


                            Since by default every user in the domain is a member of the Domain Users group, you can just search for all user objects.
                            try: (objectClass=user)(objectCategory=Person)

                            Or else, create an OU for the users and enter on the device in the 'base' field:
                            OU=<MyCompany> Users,DC=<myDomain>,DC=local



                            Originally posted by chris_128 View Post
                            A very minor point (and I agree with the rest of your post, the primary group issue is almost certainly why the OP is not getting the expected results) but a slightly more efficient query would be to use the sAMAccountType attribute rather than the ObjectCategory and ObjectClass attributes, as ObjectClass is not indexed and sAMAccountType is
                            IMHO between the two ldap strings there is no difference in efficiency for the search.
                            objectClass=user is just used for filtering out contacts - while 'object Category' is indexed and is used in the string to find the user objects.

                            objectCategory=Person - this search is returning user, inetOrgPerson and contact objects. Together with objectClass=User makes that contact objects are skipped from the search result.
                            (objectClass=User on its own is returning computer, user and inetOrgPerson objects. However 'Object Class' is not indexed).

                            sAMAccountType=805306368 - this search is returning user and inetOrgPerson objects. sAMAccountType is indexed and therefore is a good alternative.


                            \Rems

                            This posting is provided "AS IS" with no warranties, and confers no rights.

                            __________________

                            ** Remember to give credit where credit's due **
                            and leave Reputation Points for meaningful posts

                            Comment


                            • #15
                              Re: LDAP query

                              Originally posted by Rems View Post
                              IMHO between the two ldap strings there is no difference in efficiency for the search.
                              objectClass=user is just used for filtering out contacts - while 'object Category' is indexed and is used in the string to find the user objects.

                              objectCategory=Person - this search is returning user, inetOrgPerson and contact objects. Together with objectClass=User makes that contact objects are skipped from the search result.
                              (objectClass=User on its own is returning computer, user and inetOrgPerson objects. However 'Object Class' is not indexed).

                              sAMAccountType=805306368 - this search is returning user and inetOrgPerson objects. sAMAccountType is indexed and therefore is a good alternative.


                              \Rems
                              Exactly, you are using 2 attributes (one of which is not indexed) to get the same end result that you could get from using a single attribute that is indexed... so how can you say that this is just as efficient?
                              Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

                              My blog: http://cjwdev.wordpress.com

                              Comment

                              Working...
                              X