开发者

LDAP/AD filter - "objectclass not equal to" is not working

I am working with LDAP Active Directory and trying to list all users. I have this filter which works perfect:

(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))

Unfortunately, we have also a computer units and other devices present in AD with objectclass "user" so with previous filter I got all users, computers, devices, rooms, etc.

These computer and devices have also an objectclass "computer" so I need to extend the filter with objectclass!="computer" in order to list only real users. So far I'd tried these filters, none of them working (no data returned!):

(&(objectclass=user)(!objectclass开发者_如何学Python=computer)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(&(objectclass=user)(!(objectclass=computer))(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(!(objectclass=computer))(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(!objectclass=computer)(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))

(real users do not have the objectclass "computer").

I am working with PHP ldap implementation so using an ldap_search() method.

The "not equal to" syntax was found e.g. here: http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx or here: http://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx

Maybe I could try to filter users where (!CN=Computers) in DN, but first I'd like to filter (!objectclass=computer) as it is more logical for me.

What is the correct syntax for objectclass != "computer" expression?


Contrary to the first link you provided, (!objectclass=computer) is not a valid filter expression. It should be (!(objectclass=computer)). See RFC 2254:

filter ::= "(" filtercomp ")"

not ::= "!" filter

So your filter should be

(&(!(objectclass=computer))(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))


If you are trying to get all users, you could just do this:

(&
   (objectclass=user)
   (!(objectClass=computer))
)

It looks like you're trying to get users who are members of specific groups AND who have a specified principalname (right?). If so, you could do:

(&
    (objectclass=user)
    (!(objectClass=computer))
    (|
        (userPrincipalName=username@domain.com)
        (displayName=John Doe)
    )
    (|
        (memberOf=CN\=group1,CN\=Groups,DC\=domain,DC\=com)
        (memberOf=CN\=group2,CN\=Groups,DC\=domain,DC\=com)
    )
)

These work on my end (you may need to remove whitespace in you PHP code)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜