LDAP/AD filter - "objectclass not equal to" is not working
I am working with LDAP Active Directory and trying to list all users. I have this filter which works perfect:
(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
Unfortunately, we have also a computer units and other devices present in AD with objectclass "user" so with previous filter I got all users, computers, devices, rooms, etc.
These computer and devices have also an objectclass "computer" so I need to extend the filter with objectclass!="computer" in order to list only real users. So far I'd tried these filters, none of them working (no data returned!):
(&(objectclass=user)(!objectclass开发者_如何学Python=computer)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(&(objectclass=user)(!(objectclass=computer))(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(!(objectclass=computer))(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(!objectclass=computer)(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(real users do not have the objectclass "computer").
I am working with PHP ldap implementation so using an ldap_search()
method.
The "not equal to" syntax was found e.g. here: http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx or here: http://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx
Maybe I could try to filter users where (!CN=Computers) in DN, but first I'd like to filter (!objectclass=computer) as it is more logical for me.
What is the correct syntax for objectclass != "computer" expression?
Contrary to the first link you provided, (!objectclass=computer)
is not a valid filter expression. It should be (!(objectclass=computer))
. See RFC 2254:
filter ::= "(" filtercomp ")"
not ::= "!" filter
So your filter should be
(&(!(objectclass=computer))(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
If you are trying to get all users, you could just do this:
(&
(objectclass=user)
(!(objectClass=computer))
)
It looks like you're trying to get users who are members of specific groups AND who have a specified principalname (right?). If so, you could do:
(&
(objectclass=user)
(!(objectClass=computer))
(|
(userPrincipalName=username@domain.com)
(displayName=John Doe)
)
(|
(memberOf=CN\=group1,CN\=Groups,DC\=domain,DC\=com)
(memberOf=CN\=group2,CN\=Groups,DC\=domain,DC\=com)
)
)
These work on my end (you may need to remove whitespace in you PHP code)
精彩评论