LDAP root query syntax to search more than one specific OU

Question

I need to run a single LDAP query that will search through two specific organization units (OU) in the root query however I\'m having a tough go of it. I\'ve tried the follo

Answer 1

You can!!! In short use this as the connection string:

ldap://:3268/DC=,DC=?cn

together with your search filter, e.g.

(&(sAMAccountName={0})(&((objectCategory=person)(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=,OU=,OU=,OU=,DC=,DC=,DC=))))

That will search in the so called Global Catalog, that had been available out-of-the-box in our environment.

Instead of the known/common other versions (or combinations thereof) that did NOT work in our environment with multiple OUs:

ldap:///DC=,DC=
ldap://:389/DC=,DC=  (standard port)
ldap:///OU=,DC=,DC=
ldap:///CN=,DC=,DC=
ldap:///(|(OU=)(OU=)),DC=,DC= (search filters here shouldn't work at all by definition)

(I am a developer, not an AD/LDAP guru:) Damn I had been searching for this solution everywhere for almost 2 days and almost gave up, getting used to the thought I might have to implement this obviously very common scenario by hand (with Jasperserver/Spring security(/Tomcat)). (So this shall be a reminder if somebody else or me should have this problem again in the future :O) )

Here some other related threads I found during my research that had been mostly of little help:

• the solution hidden in a comment of LarreDo from 2006
• some Microsoft answered question of best practices how to design your organization in the directory, stating using multiple top-level OUs in bigger companies is not unusual or even suitable
• Tim Wong (2011) added that this may be a problem of unresolvable DNS names in the ForestDNSZones (part of the AD top-level domain used)
• example code for implementing it by hand when using Spring security (e.g. also used in Jasper)
• John Morrissey (2012) suggested it could be related to some security settings and it may work if you use TLS (I guess if the LDAP server wants to restrict such global searches for non-secure connections - which would not seem a good (its kind of half-baked) security approach to me)
• awatkins (2012) used some hacking approach in some mod_ldap.c code (of whatever software)

And here I will provide our anonymized Tomcat LDAP config in case it may be helpful (/var/lib/tomcat7/webapps/jasperserver/WEB-INF/applicationContext-externalAUTH-LDAP.xml):

    
        
    
    
        
    

    
        
    

    
    
    
    



    
    

    
    
    



    
        
    
    

    
        /login.html?error=1
    
    
        
            /j_spring_switch_user
        
    



    
    

    
        
    



    
        
    
    
        
    

    
    
    





    
        
            
            
            
        
    



    
        
            
                
            
            
        
    
    
        
            
                
            
            
                
            

            
            
            
            
            
            
        
    



    
        
    
    
        (&(sAMAccountName={0})(&((objectCategory=person)(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=my-nested-group-name,OU=ou3,OU=ou2,OU=ou1,DC=dc3,DC=dc2,DC=dc1))))
        
    
    
        
    
    
        true
    



    
    
    
    
    





    
        
            
            
            
        
    



    
    
    
    
    



    
        
    
    
        
            ROLE_USER