0

I have users in AD with memberOf attributes having either cn=ad-users103,ou=hr,ou=groups,dc=mycorp,dc=com or cn=ad-users203,ou=hr,ou=groups,dc=mycorp,dc=com. I'd like to use a filter like cn=ad-users* but it's not returning results. I'm using ldapsearch in Linux to test my filter.

I've tried using a filter like this which returns user info:

ldapsearch -D "cn=admin..." -b "dc=mycorp,dc=com" -x -H ldaps://ldap.mycorp.com -w $PASS -E pr=100/noprompt "memberOf=cn=ad-users203,ou=hr,ou=groups,dc=mycorp,dc=com"

When I add a wildcard (taking example here), I don't get any results:

ldapsearch -D "cn=admin..." -b "dc=mycorp,dc=com" -x -H ldaps://ldap.mycorp.com -w $PASS -E pr=100/noprompt "memberOf=cn=ad-users*"

I've tried moving the splat to different positions in the filter to no avail. Should a search work this way or do I need to use something like (&(memberOf=cn=ad-users103...)(memberOf=cn=ad-users203...)) instead?

Server Fault
  • 637
  • 1
  • 6
  • 16

1 Answers1

1

The memberOF is a distinguishedName attribute value and wildcards are not supported on distinguishedNames as shown here: https://stackoverflow.com/a/28984362/88122

And I think your AND search of

(&(memberOf=cn=ad-users103...)(memberOf=cn=ad-users203...))

Should be and OR search:

(|(memberOf=cn=ad-users103...)(memberOf=cn=ad-users203...))
jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • Ok thanks for clarifying. I had no idea wildcards were handled differently depending on attribute. You are also correct about the OR filter. – Server Fault Sep 25 '20 at 13:34