LDAP : exclude a domain from search query

Question

I an trying to exclude a domain controller from my LDAP search.

I have 3 DC : staff, student and exams.

So I can use on of the following search DN :

• DC=staff,DC=root,DC=mycompany,DC=fr
• DC=student,DC=root,DC=mycompany,DC=fr
• DC=exams,DC=root,DC=mycompany,DC=fr

Then the search is simple : (&(objectCategory=person)(objectClass=user)(sAMAccountName=johndoe))

It works, but a person (sAMAccountName) can be under several domains (ie. student and exam), so it is found twice. I need to restrict the search to only staff and student.

I tried the following query but in does not work :

(&(objectCategory=person)(objectClass=user)(sAMAccountName=johndoe)(!(memberOf=DC=exams,DC=root,DC=mycompany,DC=fr)))

Answer 1

I think you are mixing up your DC's and groups. memberOf is a reverse pointer attribute in Active Directory; it is maintained on the user object but corresponds directly to the groups to which the user is a member. If you actually had your different members in groups that corresponded to your domain you could do something like that. It would look more like this though...

(&
  (objectCategory=person)(objectClass=user)(sAMAccountName=johndoe)
  (!(memberOf=cn=exams_group,ou=groups,DC=exams,DC=root,DC=mycompany,DC=fr))
)

If that does not look like it will work for you, take a look at your userPrincipalName attribute values for each entry. It is possible that they all have different extensions. The userPrincipalName is guaranteed unique across the forest and is generally in the format of an email address samaccountname@domainname. If you have duplicate samaccountnames across domains there is a good chance the domain component of the userprincipalname will be different.

You could do something like this... a bit crude but maybe effective

(&
  (objectCategory=person)(objectClass=user)(sAMAccountName=johndoe)
  (!(userprincipalname=*@exams.root.mycompany.fr))
)

Or you could just submit multiple positive search requests.