Search the Community
Showing results for tags 'ldap'.
-
Hey All, I am banging my head against a wall here trying to get an LDAP query to work, so I am hoping someone can help me out. GOAL: I'm trying to map drives using Item Level targeting. CURRENT SOLUTION: An Autoit login script runs, determines the user that logs in, looks at the users group membership. If a User is a member of a group that contains the string "User-LAX" Then it will map \\server1\shareA. If a User is a member of a group that contains the string "User-ORD" Then it will map \\server2\shareB. With the power of scripting this is easy to achieve. PROBLEM: The active directory setup is extremely large and complex, and perhaps has not been designed with a lot of thought for situations like this. There are multiple buildings, and each building has a user code used in Security Group names i.e. User-LAX-HR, User-ORD-HR, User-LAX-Accounting, User-ORD-Accounting etc. So if they are a member of a group that contains "User-LAX", it will map the UNC path \\server1\shareA. That's the aim. Now there are potentially hundreds of groups that begin with "User-LAX", so while I could easily run an LDAP Query on each group called "User-LAX", this would take me forever to build a group policy containing all the different possibilities. RESEARCH: I have discovered that I cannot do LDAP Query's on a distinguished name using a wild card, which really messes things up. This is how I would like the query to work, but I know it doesn't so i am looking for an alternative. &(objectcategory=user)(memberof=*User-LAX*)) POTENTIAL SOLUTION: I have just thought about this as a potential solution as I type this out, and that would be to build a script that would find all the groups that begin with "User-LAX", and then export all the members of those groups and make them members of a new groups called "User-LAX-XDrive" and then I can use ILT to map drives based on that new group membership. To be honest the above solution seems like the easiest way right now, but perhaps there is something else I can do with an LDAP Query that I am missing? I'm reluctant to dive straight in and create a new security group, because while my previous job I was given full responsibility to do that, I'm not sure if I am given that same trust here at my new job. However, If it needs to be done then it needs to be done. Any feedback is appreciated.
-
I'm trying to figure out a way to traverse a directory tree using LDAP. I've read a lot of posts here and mainly they involve using functions designed specifically for Active Directory. I want this to be more generic so it will work whether it's Novell eDirectory, Active Directory, etc. In my case I have both, but I primarily use eDirectory. Here's what I've got so far: $ObjLDAP = ObjGet("LDAP://192.168.1.1:389/O=MyORG") ; Not the real IP address $x=0 For $oObj In $ObjLDAP $x+=1 ConsoleWrite($x & ") cn=[" & $oObj.cn & "]" & @CRLF) $c=0 For $class in $oObj.objectClass $c+=1 ConsoleWrite(@TAB & $c & ") class=[" & $class & "]" & @CRLF) If $class="organizationalUnit" Then ; Switch to this OU and list all object there. ; BUT I DON'T KNOW HOW TO DO THIS YET ; Switch back to parent container when done. EndIf Next ConsoleWrite(@CRLF) Next Exit This works in that it lists all objects in the ORG. Here's a sample of the output. 1) o=[] cn=[] 1) class=[organizationalUnit] 2) class=[ndsLoginProperties] 3) class=[Top] 4) class=[ndsContainerLoginProperties] 2) o=[] cn=[] 1) class=[organizationalUnit] 2) class=[ndsLoginProperties] 3) class=[Top] 4) class=[ndsContainerLoginProperties] 3) o=[] cn=[] 1) class=[organizationalUnit] 2) class=[ndsLoginProperties] 3) class=[Top] 4) class=[ndsContainerLoginProperties] 4) o=[] cn=[] 1) class=[organizationalUnit] 2) class=[ndsLoginProperties] 3) class=[Top] 4) class=[ndsContainerLoginProperties] 5) o=[] cn=[admingroup] 1) class=[Top] 2) class=[groupOfNames] 3) class=[posixGroup] 4) class=[uamPosixGroup] 6) o=[] cn=[apchadmn-Administrators] 1) class=[Top] 2) class=[groupOfNames] 7) o=[] cn=[Everyone] 1) class=[groupOfNames] 2) class=[Top] 8) o=[] cn=[nfradmins] 1) class=[groupOfNames] 2) class=[Top] 9) o=[] cn=[nfrreportusers] 1) class=[groupOfNames] 2) class=[Top] 10) o=[] cn=[Admin] 1) class=[inetOrgPerson] 2) class=[organizationalPerson] 3) class=[Person] 4) class=[Top] 5) class=[ndsLoginProperties] 6) class=[bhPortalConfigRW] 7) class=[bhPortalConfigSecretStore] 8) class=[bhPortalConfig] 9) class=[swareUserAttr] 10) class=[swarePointers] 11) class=[posixAccount] 12) class=[uamPosixUser] 11) o=[] cn=[dnsdhcp] 1) class=[inetOrgPerson] 2) class=[organizationalPerson] 3) class=[Person] 4) class=[ndsLoginProperties] 5) class=[Top] 6) class=[posixAccount] 7) class=[uamPosixUser] 12) o=[] cn=[nfrproxy] 1) class=[inetOrgPerson] 2) class=[organizationalPerson] 3) class=[ndsLoginProperties] 4) class=[Person] 5) class=[Top] 13) o=[] cn=[UNIX Config] 1) class=[uamPosixConfig] 2) class=[Top] 3) class=[uamPosixGidNumberInfo] 4) class=[uamPosixUidNumberInfo] 14) o=[] cn=[Apache Group] 1) class=[apchadmnConfiguration] 2) class=[apchadmnServer] 3) class=[Top] 15) o=[] cn=[apchadmn-Registry] 1) class=[apchadmnConfiguration] 2) class=[apchadmnServer] 3) class=[Top] I can determine that the first four objects are OUs. But how do I switch to those contexts?