0
votes

I'm trying to set up an external active directory GAL on zimbra 8.8.7; My current working filter is

(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))

autocomplete filter is

(|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))

LDAP search base

dc=sub,dc=domain,dc=com

search and autocomplete returns all AD users, including admin accounts. What is a correct way to exclude administrators group from ldap search? the accounts I need to exclude are in OU "Admins" and are members of couple of groups like Buildin "Administrators" and users "Domain Admins", "Enterprise admins", etc I've tried adding (&(objectCategory=group)(!cn=Admin) but it doesn't seem to be valid.

1
(!(memberOf=cn=groupname,...,dc=example,dc=net))jwilleke
@jwilleke, not sure where should i insert it? before the rest of exclusions? I tried (&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(|(&(objectCategory=person)(objectClass=user)(!memberOf=cn=Administrators)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList))) but it returns the errorgibengy
What rest of exclusions? All that was asked was "LDAP filter to exclude admins group"jwilleke
for GAL on Zimbra using active directory. Sorry couldn't fit all this info on subject, so put more details in the body of the question. Without all these exclusions zimbra just doesn't return anything, or returns "Code:ldap.INVALID_SEARCH_FILTER" errorgibengy

1 Answers

0
votes

Decided to post my workaround that is already in production. Couldn't make exclusion rule to work and another task required the real employees group to be created on AD anyway, so ended up adding all people accounts to group Staff and domain GAL search looks like this:

LDAP filter: (&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=Staff,ou=Groups,dc=dc1,dc=domainname,dc=com))

Autocomplete filter: (|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))

LDAP search base: dc=dc1,dc=domainname,dc=com