[KLUG Members] LDAP search

[lists at elite4god.com]

>> I'm trying to write an LDAP filter that will exclude a specific OU from
>> the results.
>> I have (&(objectclass=user)(!(objectclass=computer)))
>> This works but I have an ou called users that contains all the system
>> users I don't want included in the results.
>
> ? So you only want objectclass of "computer"?
>
>> My search base is dc=my-domain,dc=com.
>> The ou I want to exclude users from is ou=users,dc=my-domain,dc=com.
>> I've tried
>> (&(objectclass=user)(!(objectclass=computer))(!(dc=cn=*,ou=users,dc=my-domain,dc=com)))
>> But it didn't work.
>
> Correct, dn only supports equality matching, not substring or regexp.
>
>> I've also tried using just (dc=cn=*,ou=users,dc=my-domain,dc=com) to see
>> if it would return just the users in this ou but it didn't work either.
>> I have 30 ou's I'm searching. I don't want to have to do a specific
>> search on all of these ou's. I think that would be too much overhead.
>
> You have user objects spread across 30 ous?
>
> Do you have an "ou" attribute in the objects?
>

I have an OU for each department. Some departments have sub departments. I
have users in all of these.

There is no attr that has the object's parent or ou.

It's a Windows 2003 domain. AD.
The users do have a distinguishedname attr but it seems to have the same
restrictions and dn. I know that's what dn stands for.

Thanks,
Jeremy