I am trying to produce a LDAP Filter for MS AD which filters users based on some OUs (in my case excluding a specific OU but also including does not work):
(&(cn=Testuser1)(|(ou:dn:=Included1)(ou:dn:=Included2)))
(&(cn=Testuser1)(!(ou:dn:=Excluded)))
does not work. I tested (ou:dn:=Included1) which lists the actual "folder" objects (marked with * below) but not the users below that (with the DN containing the ou). I cannot use the search base because it should find multiple:
ou=Included1,dc=example,dc=com *
cn=Testuser1,ou=Included1,dc=example,dc=com +
ou=Included2,dc=example,dc=com
cn=Testuser1,ou=Included2,dc=example,dc=com +
ou=Excluded,dc=example,dc=com
cn=Testuser1,ou=Excluded,dc=example,dc=com -
In my two example filters above I want to find two Testuser1 entries (marked with +), not three (marked with -).
But it actually matches none. The actual user entries have no other differences in the attributes I can filter on.
What it feels like is that the "ou:dn:=" syntax only finds object where the first name component it the desired one, not any…?
Best Answer
The negative OU= component filter seems to not work with Microsoft LDAP since it is a constructed attribute (thanks to @semicolon for the link).
However it works to use the full attribute value like: