[KLUG Members] LDAP search

[Adam Tauno Williams]

> I'm trying to write an LDAP filter that will exclude a specific OU from 
> the results.
> I have (&(objectclass=user)(!(objectclass=computer)))
> This works but I have an ou called users that contains all the system 
> users I don't want included in the results.

? So you only want objectclass of "computer"?

> My search base is dc=my-domain,dc=com.
> The ou I want to exclude users from is ou=users,dc=my-domain,dc=com.
> I've tried 
> (&(objectclass=user)(!(objectclass=computer))(!(dc=cn=*,ou=users,dc=my-domain,dc=com)))
> But it didn't work.

Correct, dn only supports equality matching, not substring or regexp.

> I've also tried using just (dc=cn=*,ou=users,dc=my-domain,dc=com) to see 
> if it would return just the users in this ou but it didn't work either.
> I have 30 ou's I'm searching. I don't want to have to do a specific 
> search on all of these ou's. I think that would be too much overhead.

You have user objects spread across 30 ous?

Do you have an "ou" attribute in the objects?