jazzyjeff

LDAP Query

3 posts in this topic

#1 ·  Posted

Hey All,

I am banging my head against a wall here trying to get an LDAP query to work, so I am hoping someone can help me out. 

GOAL: I'm trying to map drives using Item Level targeting.

CURRENT SOLUTION: An Autoit login script runs, determines the user that logs in, looks at the users group membership. If a User is a member of a group that contains the string "User-LAX" Then it will map \\server1\shareA.  If a User is a member of a group that contains the string "User-ORD" Then it will map \\server2\shareB. With the power of scripting this is easy to achieve.

PROBLEM: The active directory setup is extremely large and complex, and perhaps has not been designed with a lot of thought for situations like this. There are multiple buildings, and each building has a user code used in Security Group names i.e. User-LAX-HR, User-ORD-HR, User-LAX-Accounting, User-ORD-Accounting etc. So if they are a member of a group that contains "User-LAX", it will map the UNC path \\server1\shareA. That's the aim. Now there are potentially hundreds of groups that begin with "User-LAX", so while I could easily run an LDAP Query on each group called "User-LAX", this would take me forever to build a group policy containing all the different possibilities.

RESEARCH: I have discovered that I cannot do LDAP Query's on a distinguished name using a wild card, which really messes things up. This is how I would like the query to work, but I know it doesn't so i am looking for an alternative. &(objectcategory=user)(memberof=*User-LAX*))

POTENTIAL SOLUTION: I have just thought about this as a potential solution as I type this out, and that would be to build a script that would find all the groups that begin with "User-LAX", and then export all the members of those groups and make them members of a new groups called "User-LAX-XDrive" and then I can use ILT to map drives based on that new group membership.

 

To be honest the above solution seems like the easiest way right now, but perhaps there is something else I can do with an LDAP Query that I am missing? 

I'm reluctant to dive straight in and create a new security group, because while my previous job I was given full responsibility to do that, I'm not sure if I am given that same trust here at my new job. However, If it needs to be done then it needs to be done.

Any feedback is appreciated.

Share this post


Link to post
Share on other sites



#2 ·  Posted

memberOf is a distinguished name attribute. You can't search it with a wildcard search.  It must be an exact match.
Means: Retrieve all the groups the user is a member of and then process the returned array.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#3 ·  Posted

Thanks Water. I think I will use the approach to create a new group and make the members of the current groups a member of the new group, and then map drives using Item Level Targeting on the new security group.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • bstjohn
      By bstjohn
      I'm trying to figure out a way to traverse a directory tree using LDAP.  I've read a lot of posts here and mainly they involve using functions designed specifically for Active Directory.  I want this to be more generic so it will work whether it's Novell eDirectory, Active Directory, etc.  In my case I have both, but I primarily use eDirectory.
      Here's what I've got so far:
      $ObjLDAP = ObjGet("LDAP://192.168.1.1:389/O=MyORG") ; Not the real IP address $x=0 For $oObj In $ObjLDAP $x+=1 ConsoleWrite($x & ") cn=[" & $oObj.cn & "]" & @CRLF) $c=0 For $class in $oObj.objectClass $c+=1 ConsoleWrite(@TAB & $c & ") class=[" & $class & "]" & @CRLF) If $class="organizationalUnit" Then ; Switch to this OU and list all object there. ; BUT I DON'T KNOW HOW TO DO THIS YET ; Switch back to parent container when done. EndIf Next ConsoleWrite(@CRLF) Next Exit This works in that it lists all objects in the ORG.  Here's a sample of the output.
      1) o=[] cn=[] 1) class=[organizationalUnit] 2) class=[ndsLoginProperties] 3) class=[Top] 4) class=[ndsContainerLoginProperties] 2) o=[] cn=[] 1) class=[organizationalUnit] 2) class=[ndsLoginProperties] 3) class=[Top] 4) class=[ndsContainerLoginProperties] 3) o=[] cn=[] 1) class=[organizationalUnit] 2) class=[ndsLoginProperties] 3) class=[Top] 4) class=[ndsContainerLoginProperties] 4) o=[] cn=[] 1) class=[organizationalUnit] 2) class=[ndsLoginProperties] 3) class=[Top] 4) class=[ndsContainerLoginProperties] 5) o=[] cn=[admingroup] 1) class=[Top] 2) class=[groupOfNames] 3) class=[posixGroup] 4) class=[uamPosixGroup] 6) o=[] cn=[apchadmn-Administrators] 1) class=[Top] 2) class=[groupOfNames] 7) o=[] cn=[Everyone] 1) class=[groupOfNames] 2) class=[Top] 8) o=[] cn=[nfradmins] 1) class=[groupOfNames] 2) class=[Top] 9) o=[] cn=[nfrreportusers] 1) class=[groupOfNames] 2) class=[Top] 10) o=[] cn=[Admin] 1) class=[inetOrgPerson] 2) class=[organizationalPerson] 3) class=[Person] 4) class=[Top] 5) class=[ndsLoginProperties] 6) class=[bhPortalConfigRW] 7) class=[bhPortalConfigSecretStore] 8) class=[bhPortalConfig] 9) class=[swareUserAttr] 10) class=[swarePointers] 11) class=[posixAccount] 12) class=[uamPosixUser] 11) o=[] cn=[dnsdhcp] 1) class=[inetOrgPerson] 2) class=[organizationalPerson] 3) class=[Person] 4) class=[ndsLoginProperties] 5) class=[Top] 6) class=[posixAccount] 7) class=[uamPosixUser] 12) o=[] cn=[nfrproxy] 1) class=[inetOrgPerson] 2) class=[organizationalPerson] 3) class=[ndsLoginProperties] 4) class=[Person] 5) class=[Top] 13) o=[] cn=[UNIX Config] 1) class=[uamPosixConfig] 2) class=[Top] 3) class=[uamPosixGidNumberInfo] 4) class=[uamPosixUidNumberInfo] 14) o=[] cn=[Apache Group] 1) class=[apchadmnConfiguration] 2) class=[apchadmnServer] 3) class=[Top] 15) o=[] cn=[apchadmn-Registry] 1) class=[apchadmnConfiguration] 2) class=[apchadmnServer] 3) class=[Top] I can determine that the first four objects are OUs.  But how do I switch to those contexts?