Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to use a filter to avoid a sub OU in Active Directory?

Tags:

I have an application that pulls user information from an OU in Active Directory. The parameters it takes are a base for the search and a filter string.

I have an OU I want to pull information from, but there is a sub OU I want to avoid:

Wanted

users from OU=People,DC=mydomain,DC=com

Not Wanted

users from OU=Evil,OU=People,DC=mydomain,DC=com

I know that this could be done by rewriting the application performing teh import to stop it searching sub-OUs, but is there any way to do this with an LDAP filter on the search? Something like (DistinguishedName !contains "Evil") or similar that will let me exclude users based on the path to the user, rather than filtering on a property of the user.

like image 455
DrStalker Avatar asked Jul 08 '09 23:07

DrStalker

People also ask

What is CN OU DC in Active Directory?

Show activity on this post. CN = Common Name. OU = Organizational Unit. DC = Domain Component.

2 Answers

If you're using System.DirectoryServices(.Protocols) in .NET you could set the SearchScope to OneLevel to only search in the People-OU (and no child-OUs). But that won't work if you have any OU=Good,OU=People,DC=mydomain,DC=com...

The second option would be to query the People-OU for all sub-OU:s (objectClass=organizationalUnit) and then issue multiple search requests; one for each of them (except the "Evil" one).

Edit: @geoffc - that will be really difficult to implement. By default all authenticated users have read access to all objects in Active Directory. Just setting a "Deny Read" on the Evil OU won't do the trick because the read right for authenticated users is set on the individual user object (in this case) and thus has precedence over the Deny ACL set on the OU. You will essentially have to set the Deny Read ACL on each of the objects in the Evil-OU and always make sure new objects added to the directory get the same Deny rights set. You could edit the Active Directory schema and remove the rights for Authenticated Users but that will break a lot of other things (including Exchange) and is not supported by Microsoft.

like image 158
Per Noalt Avatar answered Oct 11 '22 11:10

Per Noalt

AFAICT, this cannot be done with an LDAP filter in active directory. Many other LDAP implementations support extensible matching, but AD does not.

Users recommending filters containing (ou:dn:=Evil) or wildcards on distinguishedName have not tested against Active Directory.

like image 34
esk Avatar answered Oct 11 '22 10:10

esk
Sign in to Comment

Related questions

How to upgrade SVN 1.4.4 (r25188) to SVN 1.6
Globbing in C++/C, on Windows
Reading a remote file using Java
Method may only be called on a Type for which Type.IsGenericParameter is true
PowerShell history: how do you prevent duplicate commands?
Edit other users' alerts for a project in TFS
has_many while respecting build strategy in factory_girl
Overriding "equals" method: how to figure out the type of the parameter?
HttpContext.Current.User is null even though Windows Authentication is on
How to load Assembly at runtime and create class instance?
Is there a way to control which implicit conversion will be the default used?
NHibernate -failed to lazily initialize a collection of role

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!