Reputation: 75
LDAP search not finding entries in child OUs
Say you have an LDAP with the following structure:
dc=corp,dc=com
|--dc=security
|--ou=users
|--ou=corporate
| |--ou=it
| |--it-user1
| |--it-user2
|--user1
|--user2
|--user3
I need a search query that will look at all entries under the users ou, including those under corporate and it.
Currently I am trying the following:
uid=it-user2,ou=users,dc=security,dc=corp,dc=com
The scope of the search is set as subtree. I was under the impression that the subtree scope would cause the LDAP to search recursively through the entire tree, but that does not seem to be the case. However, if I add the full path into the search as I have below, the entry is found.
uid=it-user2,ou=it,ou=corporate,ou=users,dc=security,dc=corp,dc=com
Could someone give me an idea of where I am going wrong? Thanks.
Upvotes: 3
Views: 13369
Answers (3)
Reputation: 812
You need to set your search context (i.e., the search base) to where your object/entry is stored. Based on your example, the search context is ou=users,dc=security,dc=corp,dc=com. When you set the search scope to subtree, it should find the entry or entries that match your critera (i.e., search filter). For example,
ldapsearch -h SERVER -b ou=users,dc=security,dc=corp,dc=com -s sub "(uid=it-user2)"
Of course, with the 'subtree' search scope, you could even set the search context to a higher level container (e.g., dc=security,dc=corp,dc=com). Your entry would still be found as long as it matches the criteria specified by your filter. Since you're searching for all entries under the ou=users container, your query would probably look like this:
ldapsearch -h SERVER -b ou=users,dc=security,dc=corp,dc=com -s sub "(uid=*)"
or
ldapsearch -h SERVER -b ou=users,dc=security,dc=corp,dc=com -s sub "(objectclass=*)"
Upvotes: 2
Reputation: 1803
I fought this for hours - CN=Users LDAP Directory Entry in .Net - not working with OU=Users
This may seem silly and stupid, but the default tree setup in Active Directory is not OU=Users,dc=domain,dc=com but rather CN=Users,dc=domain,dc=com (Note the CN= not the OU= for Users.)
Upvotes: 1
Reputation: 11132
uid=it-user2,ou=users,dc=security,dc=corp,dc=com does not exist. The LDAP client must provide a base object to the search request which exists.
see also
Upvotes: 0
Related Questions
- Ldap search does not return all attributes of an account in Active Directory
- LDAP exclude sub OU from search
- LDAP root query syntax to search more than one specific OU
- ldapsearch - filtering ou in dn
- No results when searching with dn
- ldap returns on subtree and one level, but not base
- LDAP search returns less objects than expected
- LDAP query for all users in sub OUs within a particular OU
- How do I make a LDAP search on OU on Microsoft Active Directory?
- Search when NOT in OU