Hello Team,
Hope you have a great day.
Struggling with working LDAP query for OU filter on AD connector.
I am pulling from top level OU, but need to filter out all sub-OUs that have name “External Users”. There are too many of those (in each location) so adding only what i need to sync is not an option.
Thank you in advance,
Hi @karapuuzina,
Take a look at this documentation on applying account filters in the source and see if it helps.
You can make use of a filter as below :
"account.filterString": "(distinguishedName.contains(\"OU=External Users\")"
@jesvin90 , thank you for the reply. But this seems to be an additional property that i need to modify via REST API:
Plus for Account name in schema we use SamAccountName, not DistinguishedName.
I really would like to utilize LDAP query functionality, as it is there (screenshot from above).
Hi @karapuuzina,
Not sure if AD supports extensible matching, but this is something that you can try out in the LDAP filter section :
(&(objectClass=user)(!(distinguishedName=*OU=External Users*)))
It seems that filter does not support wildcards (*), if i go with specific user distinguished name, it actually filters it out, but asa i use * to filter out OU, it fails 
The distinguishedName attribute cannot be queried with wildcard in LDAP queries, unfortunately. That is a limitation of LDAP queries, as far as I remember.
Is there an attribute that External Users have that can be used as a part of the query, instead of the OU itself? Perhaps something like employeeType in the example below:
(&(objectClass=user)(!(employeeType=External)))
Also, depending on the OU structure, perhaps you can list all the OU’s as OU’s to search and just not list the External Users OU. For example, in the Source connector attributes:
{
"connectorAttributes": {
"searchDNs": [
{
"groupMembershipSearchDN": null,
"searchDN": "OU=Bread Department,OU=Geese,DC=goosecorporaton,DC=gov",
"groupMemberFilterString": null,
"iterateSearchFilter": "(&(objectCategory=person)(objectClass=user))"
},
{
"groupMembershipSearchDN": null,
"searchDN": "OU=Lake Supervisors,OU=Geese,DC=goosecorporaton,DC=gov",
"groupMemberFilterString": null,
"iterateSearchFilter": "(&(objectCategory=person)(objectClass=user))"
},
{
"groupMembershipSearchDN": null,
"searchDN": "OU=Flying Operations,OU=Geese,DC=goosecorporaton,DC=gov",
"groupMemberFilterString": null,
"iterateSearchFilter": "(&(objectCategory=person)(objectClass=user))"
}
]
}
}
You can list all the OU’s from which you want to pull users, and simply do not include the External Users OU.
Hi @karapuuzina ,
try this instead:
(&(objectCategory=person)(objectClass=user)(!distinguishedName=*,OU=External Users,DC=yourdomain,DC=com))
@pmandal that query is not working as well. From all the testing i can see that LDAP queries in Sailpoint do not support wildcard (*) for DN. I figured out another way. EmployeeID is empty for externals, so i have used below to pick up Externals:
(&(objectClass=person)(!(employeeID=*)))
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.