How to aggregate users only from groups specific to a specific OU in active directory. please note that groups will be updated dynamically over the time in the OU.
I tried “(&(objectClass=user)(mamberOf=CN=*,OU=Groups,OU=XYZ,DC=abccompany,DC=net))” in the iterate search filter, but it is not working.
I gave the proper group name in the CN and it is working fine. but I need to look at all the groups and there are many of them and expected to change over the time. So, i can’t add and remove the group names from in sailpoint. please suggest some solution to fix this.
Do you have an option to write customization rule? We can fetch the memberOf from the resource object and check if the group DN ends with the OU you are looking for. If yes, return the object and if not return null.
I think using LDAP search filter you cannot natively traverse relationships. You need to use group DNs separately.
(&(objectCategory=user)(|(memberOf=CN=Group1,OU=XYZ,DC=abccompany,DC=net)(memberOf=CN=Group2,OU=XYZ,DC=abccompany,DC=net)...))
There are options on the UI like Group Membership Search DN, Group Member Filter String. Try if that helps.
Thank you @nithyamn13 , i will try this and let you know if it works.
Hi @udayputta , Thank you for your response. we can add all groups to the filter like you mentioned above, but the problem is the groups will be updated over the time and don’t want to update the application again and again.
Hi @venkat_13 If you don’t mind, can I challenge the premise? As LDAP filters don’t support what you want to do, can I ask why you don’t want to aggregate all accounts from those OUs? I have a feeling you could be building up problems for the future if you come up with a workaround.
Hello,
I think you could use below approach.
Option 1: Use Search Filter in the Source Configuration
In the AD Source > Configuration > Filter, define an LDAP filter using memberOf and/or group distinguishedName targeting your specific OU.
Example LDAP Filter:
If your target OU is:
OU=AppGroups,OU=AccessGroups,DC=example,DC=com
Then set:
(&(objectClass=user)(memberOf=CN=*,OU=AppGroups,OU=AccessGroups,DC=example,DC=com))
This ensures that only users who are members of groups in that OU are considered for aggregation.
Option 2 :: Post-Aggregation Filtering Using Identity Attribute Transform
If filtering during aggregation is not feasible, let it aggregate all users and use a Transform on Identity Attribute.
- Filter only those whose memberOf includes groups under the desired OU
- In the transforms, you can use static transform in which you can add complex logic using Velocity Syntax.
Have a look on the above.
Thank You,
Regards,
Rohit Wekhande,
IDMWORKS
Hi @rohit_wekhande I could be wrong, but it is my understanding that you can’t use wildcards on DN syntax attributes for LDAP filtering purposes.
1 Like
@j_place - You are right. We cannot use wildcards on DN syntax in iterate search filter. Customization rule is the option which I think will work for the problem which Venkat posted.
Oh yes, you are correct! My Bad.
The correct approach is to use the OR in b/w the DNs like below for all possible Group DNs
(&(objectClass=user)(|(memberOf=CN=Group1,…)(memberOf=CN=Group2,…)(memberOf=CN=Group3,…)))
Regards,
Rohit Wekhande.
Yes you cannot use wild card and he has to use a OR. But his problem is he cannot keep adding because there could be new groups added later.
I agree with Jeremy why not pull all the users from that specific OU. Any challenges @venkat_13 ? can you share more details
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.