Forum Discussion

Rotem's avatar
Rotem
Icon for Nimbostratus rankNimbostratus
Oct 21, 2013

Multiple LDAP Query

hi ,

 

i am trying to define a multiple ldap query in apm macro . in my configurtion the group found in one OU on the primary domain, and the users is in other OU on the primary domain . when i try to configure with | , || , ; it doesn't work what is the right way to configure this ?

 

  • I've no experience with APM but just from a programming/logic point of view, wouldn't AND/&& be more appropriate rather than OR/||?

     

  • Rotem's avatar
    Rotem
    Icon for Nimbostratus rankNimbostratus

    thx i try this and still doesn't work , in the session logs i see that the syntax is wrong "Invalid DN syntax" .

     

  • Can you elaborate on your configuration? What does your LDAP query statement look like now?

     

  • This may be a little tricky depending on the directory service you're trying to query. At the very least you have two options:

    • Widen your search base to encompass the entire directory tree. You can optionally specify a SearchFilter value that limits the results to a set of OUs. Example:

      (&(&(objectClass=person)(|(ou=OU=usertest1,DC=MYDOMAIN,DC=COM)(ou=OU=usertest2,DC=MYDOMAIN,DC=COM)))(sAMAccountName=%{session.custom.user}))
      

      The trick with the above is that the user account must have this explicit attribute. Most AD user accounts do not have an "ou" attribute by default (I modified mine for this test), and it doesn't appear that you can use wildcards (ex. cn=*OU=usertest1*) with AD. This may be different with other directories. If you have access to the BIG-IP management shell, you can test your query parameters with the LDAPSEARCH command:

      ldapsearch -H ldap://10.80.0.200 -x -b dc=mydomain,dc=com -D administrator@mydomain.com -w 'password' "(&(&(objectClass=person)(|(ou=OU=usertest1,DC=MYDOMAIN,DC=COM)(ou=OU=usertest2,DC=MYDOMAIN,DC=COM)))(sAMAccountName=jack.test))"
      

      Also note that your APM LDAP query should be configured so that it only returns ONE result. There is no mechanism to parse through multiple returned user/object accounts. Widening the search base may cause the query to take longer, but then you're guaranteed to only return records from the specified containers.

    • The second option, and probably the more preferred one, is to simply create multiple LDAP queries and limit each to a specific OU search base. Try to nest them so that the more predominant one is first, and its fallback branch (query failed) falls into the second LDAP query.