Reputation: 1256
LDAP exclude sub OU from search
Say If I had a structure like the following:
How can I exclude A and B2?
_users
|__A
|__B
|__B1
|__B2
|__B3
|__C
|__D
ou=users, dc=domain, dc=co, dc=uk;
Upvotes: 3
Views: 21204
Answers (6)
Reputation: 72680
An LDAP search is composed of 4 elements:
- The node from which you ask to begin the search (the Distinguish Name of the node)
- The scope of your search (base, onelevel, subtree)
- The filter of your search (e.g.
(objectClass=user)) - The attributes you want to retrieve.
In Active Directory, there exists no "natural" way to exclude an OU from a recursive search.
Regarding LDAP, on the theoretical point of view, ExtensibleMatch exists and enables what you want to do, but it's not supported in Active Directory.
Upvotes: 6
Reputation: 11
For me, I needed to easily exclude disabled users from ldap search results or anything else that would show these user accounts along side enabled (active) accounts. I denied list content access for the Disabled Users OU which leaves the OU visible but the contents are not. The result is that people searches from, let's say, bound Mac clients using the Contacts app will no longer see 'ghost' users.
Upvotes: 1
Reputation: 11
I'm doing something similar. I first use a search for 'objectclass=organizationalunit' with the search scope set to 'OneLevel'. Code looks something like this:
DirectoryEntry oDE = new DirectoryEntry("LDAP://DC=ChildDomain,DC=RootDomain")
using (DirectorySearcher ds = new DirectorySearcher(oDE))
{
ds.PropertiesToLoad.Add("dn");
ds.SearchScope = SearchScope.OneLevel;
ds.Filter = "(objectClass=OrganizationalUnit)";
ds.PageSize = 30;
Then I use a foreach loop to cycle through the results and compare the distinguished name of each result with the one OU I'm excluding. If the OU's dn matches, I continue to the next result. If not, then I take some action.
Upvotes: 1
Reputation: 1
I may be over simplifying this but couldn't you also just deny list/read access to the OUs which you would like to exclude from the query? Assuming you are using a specific service account to perform the lookup this should work.
Upvotes: 0
Reputation: 2315
The only way is to set a special attribute only on the wanted or the not-wanted OU. You can use the pagerattribute for a user, or the physicalLocationObject for a computer, as they are little used and can usually be "abused" for managing this kind of problems (don't forget to confirm it they are really unused or not!!). You can then do a search filtering those attributes to exclude thoses OU, like: (&(objectclass=user)(!(pager=*)))
Of course, this is inefficient and the correct solution is reordering the LDAP/AD structure to fit what is need.
Upvotes: 0
Reputation: 11132
Since the directory server is non-compliant (as JP notes, AD does not support extensible match filters
and is therefore non-compliant), If there are attributes with values identifying the entries as
belonging to A and B2, exclude those with the search filter. For example, if entries
subordinate to A have an objectClass with value in-A, your filter could exclude those with
a search consisting of base object ou=users, dc=domain, dc=co, dc=uk, scope whole subtree,
filter (!(objectClass=in-A)), and list of attributes you desire. A similar filter could be
constructed to exclude entries from A and B2 simultaneously.
For more about searching and search filters, see LDAP: Mastering Search Filters.
Upvotes: 0
Related Questions
- Is it possible to do ldap query and exclude certain OU?
- LDAP root query syntax to search more than one specific OU
- ldapsearch - filtering ou in dn
- LDAP search not finding entries in child OUs
- How to use a filter to avoid a sub OU in Active Directory?
- Get all AD users except those that are in specific OU LDAPFilter
- LDAP query for all users in sub OUs within a particular OU
- How do I make a LDAP search on OU on Microsoft Active Directory?
- Search when NOT in OU
- Return OU in active directory search