Forum Discussion
Multiple LDAP Query
This may be a little tricky depending on the directory service you're trying to query. At the very least you have two options:
-
Widen your search base to encompass the entire directory tree. You can optionally specify a SearchFilter value that limits the results to a set of OUs. Example:
(&(&(objectClass=person)(|(ou=OU=usertest1,DC=MYDOMAIN,DC=COM)(ou=OU=usertest2,DC=MYDOMAIN,DC=COM)))(sAMAccountName=%{session.custom.user}))
The trick with the above is that the user account must have this explicit attribute. Most AD user accounts do not have an "ou" attribute by default (I modified mine for this test), and it doesn't appear that you can use wildcards (ex. cn=*OU=usertest1*) with AD. This may be different with other directories. If you have access to the BIG-IP management shell, you can test your query parameters with the LDAPSEARCH command:
ldapsearch -H ldap://10.80.0.200 -x -b dc=mydomain,dc=com -D administrator@mydomain.com -w 'password' "(&(&(objectClass=person)(|(ou=OU=usertest1,DC=MYDOMAIN,DC=COM)(ou=OU=usertest2,DC=MYDOMAIN,DC=COM)))(sAMAccountName=jack.test))"
Also note that your APM LDAP query should be configured so that it only returns ONE result. There is no mechanism to parse through multiple returned user/object accounts. Widening the search base may cause the query to take longer, but then you're guaranteed to only return records from the specified containers.
-
The second option, and probably the more preferred one, is to simply create multiple LDAP queries and limit each to a specific OU search base. Try to nest them so that the more predominant one is first, and its fallback branch (query failed) falls into the second LDAP query.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com