AD search filter syntax for “all users in a specified OU DN path”

1
votes

What is the search filter syntax for "all users under the given OU DN"? Looking at the docs here (https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx) did not seem to answer this question (though am totally new to AD, so may be here in another wording).

Use case is that I have an AD path "OU=Users,OU=HortonworksUsers,DC=ucera,DC=local" under which there are several person entries (ie. thier attribute objectClass OID is "top;person;organizationalPerson;user"). I would like to add them to a search filter (for Apache Ranger AD usersync), but have only seen examples of filtering for a specified group, ie. "memberOf=".

Can anyone with more AD experience let me know the right way to filter for users under some arbitrary OU DN?

1
active-directoryldap
For my particular use case, I made use of the fact that Apache ranger AD usersync configs can take multiple search bases (using the ; separator). So my search base ended up looking like dc=myorg,dc=local;ou=Users,ou=HortonworksUsers,dc=myorg,dc=local (then sorted the rest out via search filter configs).lampShadesDrifter
Also, for my use case, could have also put all desired users into an group under the OU and added that group as a user search filter in Ranger configs in Ambari (ie. as filter string memberOf=< DN path of the created group >).lampShadesDrifter

1 Answers

3
votes

To grab all users under the given OU, you need to set the following search parameters :

  • base dn : OU=Users,OU=HortonworksUsers,DC=ucera,DC=local
  • scope : subtree or sub (which is the default for most ldap client)
  • filter : (|(objectClass=person)(objectClass=user))

Translated into ldapsearch options, you got something like :

ldapsearch -H ldap://<host>:<port> -D <bind_dn> -W -b OU=Users,OU=HortonworksUsers,DC=ucera,DC=local -s sub (|(objectClass=person)(objectClass=user))