Solved: Jabber AD LDAP Filtering Question....

VLT06 · ‎11-04-2012

Hi Guys,

Has anyone faced the issue or come up with a solution regarding the LDAP to AD for user search for people that have more then one account….

Example would be that Bob Down has two accounts in AD 1 for normal day to day user & second one for administrator that he only uses once in a while. When doing a look up in jabber, he appears twice.

Is there any way to intervene to filter the search to only lookup normal user accounts and not pull administrator/test accounts???

Jonathan Schulenberg · ‎11-05-2012

For CUPC clients yes. For Jabber you would need to place it in the jabber-config.xml file.

Please remember to rate helpful responses and identify helpful or correct answers.

View solution in original post

Jonathan Schulenberg · ‎11-07-2012

Two things to try:

Remove the last ')'
Change '&' to '&'

Please remember to rate helpful responses and identify helpful or correct answers.

View solution in original post

Jonathan Schulenberg · ‎11-04-2012

There are probably dozens of ways to get this done.

Here's my default; it filters the results to only non-disabled accounts. This is also the CUCM default filter if you don't define a Custom LDAP Filter.

(&(objectCategory=person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

You could change it to be this which also excludes any accounts that have the phrase ADMIN in their surname (aka Last Name) attribute.

(&(objectCategory=person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(sn=*ADMIN*)))

Another option would be to rule out anyone with Domain Admin group memberhsip:

(&(objectCategory=person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)))

Yet another would be to rule out anyone with "admin" in their username (aka sAMAccountName):

(&(objectCategory=person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(sAMAccountName=*admin*)))

Please remember to rate helpful responses and identify helpful or correct answers.

VLT06 · ‎11-05-2012

Wow, excellent stuff!

So this filter would be in the CUPS Ldap filter yeah?

Jonathan Schulenberg · ‎11-05-2012

For CUPC clients yes. For Jabber you would need to place it in the jabber-config.xml file.

Please remember to rate helpful responses and identify helpful or correct answers.

VLT06 · ‎11-05-2012

What can I say.... Champion!

Cheers!

VLT06 · ‎11-07-2012

Hmmmmmm.... Ok......

Is there any reason that this would work for client 9.1.0 and not 9.0.1?

Basically, adding any "Base Filter" to 9.1.0 works perfectly, but 9.0.1 looses all visibility of the directory all together???

I an add "" and it is fine, however as soon as I populate between the fields, 9.0.1 does not like it where 9.1.0 works a treat????

Jonathan Schulenberg · ‎11-07-2012

Two things to try:

Remove the last ')'
Change '&' to '&'

Please remember to rate helpful responses and identify helpful or correct answers.

VLT06 · ‎11-12-2012

Yep, removing the last ")" did the job!

As I said before, Champion!

Cheers!

Mark Turpin · ‎03-29-2013

This thread helped me so I wanted to post a working example -

IMP 9.1

Jabber 9.1 / 9.2

(&(objectCategory=person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

--
-Mark Turpin

Yarin Ezra · ‎11-22-2022

Hey jonathan,

what would you need to put in the Jabber Config file in-order for the filter of disabled ldap account no to pop up in jabber search

Roger Kallberg · ‎11-23-2022

That is outlined in the CM feature documentation as it is part of the default LDAP filter that is implicitly used if no custom filter is used.

Roger Kallberg · ‎11-25-2022

Disabled user can be omitted by this highlighted part. This particular filter is the default filter used in CM for the LDAP synchronisation if no custom filter is used.

Standard default LDAP filter for users
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Yarin Ezra · ‎11-26-2022

I've tried a lot of solutions last week and they all gave me the same result, after adding the filter to the service profile of the End Users, disabled user were no longer shown as well as their active users.

Say Bob has an active user and a disabled user, both users were gone after the filter, all the other active users were shown correctly.

We ended up syncing jabber with UDS and that's what gave the best result for the client.

Roger Kallberg · ‎11-26-2022

If possible could you please share the filter that you used and a screenshot of the where you applied it?

Yarin Ezra · ‎11-27-2022

I've applied the filter to the Service Profile (UserManagement > User Profile > Service Profile) (Screenshot Included):

(!userAccountControl:1.2.840.113556.1.4.803:=2) - similar to what you sent the latest without the objectclass

(!userAccountControl=514)

and some more which i cant find.