Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
12254
Views
5
Helpful
1
Comments

Defining LDAP filters for importing AD users in DMS

Herbert Baerten
Cisco Employee
Cisco Employee

‎10-07-2010 12:20 PM - edited ‎03-12-2019 09:31 AM

NOTE: This document is not meant to replace the official documentation regarding LDAP authentication in DMS, but to serve as an addition.

Please refer to the following URL for the basic configuration steps:

http://www.cisco.com/en/US/docs/video/digital_media_systems/5_x/5_1/dmm/user/guide/admin.html#wp1088277

Defining LDAP filters

In the Administration > Settings > Authentication > Define Filter screen, the User Base DN defines which subtree to import the users from and usually will look something like this:

cn=Users,dc=MYCOMPANY,dc=COM

The User Filter is a filter in LDAP format that allows you to select only those users under the Base DN that match certain criteria.

Example 1: Select all users under the Base DN

(objectClass=user)
Example 2: Select all users that are member of group CN=DMMusers
(memberOf=CN=DMMusers,CN=Users,DC=MYCOMPANY,DC=COM)
Note that this will automatically select only objects of class user, but will generate warnings for non-user objects (e.g. group objects). To avoid those warnings, create a filter that combines the above example with the one in example 1, with a logical AND:
(&(objectClass=user)(memberOf=CN=Engineering,CN=Users,DC=MYCOMPANY,DC=COM))
I.e. select all objects that are of class 'user' AND have the attribute memberOf with a value of CN=Engineering...
Example 3: Select all users that are member of CN=Sales or CN=Engineering
Similarly to the AND construct above, we can use the | symbol to construct a logical OR of two (or more) filters: (|(filter1)(filter2)).
(|(memberOf=CN=Sales,CN=Users,DC=MYCOMPANY,DC=COM)(memberOf=CN=Engineering,CN=Users,DC=MYCOMPANY,DC=COM))
Example 4: Select all users that are member of a Group or its subgroups
Assume you have a group CN=Employees, which has multiple other groups as members: CN=Sales and CN=Engineering, possibly multiple levels deep.
Problem: all users are a member of one or more subgroups, not of Employees directly, so we cannot simply filter for memberOf=CN=Employees.
Constructing a filter as in example 3 would be cumbersome and difficult to maintain.
The solution is to use the following special construct that searches for all users in the given group and all of its subgroups (and subgroups of the subgroups, etc.):
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Employees,CN=Users,DC=MYCOMPANY,DC=COM))
Links
A good reference for the filter syntax is available from Microsoft at http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx
When testing and trying to find the right filter, you may have to  repeatedly create, test and delete your filter. It may be easier to  use an LDAP browser like the one at http://www.ldapadministrator.com/download.htm. This will connect to your LDAP server and offers  a search feature where you can enter the Base DN and Filter in the same syntax as in DMM (Note: the download page offers both the free Browser tool and the trial version of Administrator - the Browser tool is sufficient to test your filters).

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
			
					
	

	

	

	

				
		
			
    
	

		
			
					
			
		
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
	
	


		

			

	
		

			
		
			
            
        
		
			
		
			
					
		

	
			
		


	
				
		
	
		

	
	


		

	

		

			

	
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




		
		
			
			
		
		
			
             
            

	

		
 

		

			

				
					

						

							
								
                    
                        Comments
                    
                
							
						

					

				
				

					

						
                    

	
		
	
		

			

	 
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			
			

	

		

			
		

	

		

			
		

	

		

			

	
		

			
		
			

	
			
					panayiotiscy
					
				
		


		
	
		

	
	

	
		

			
		
				
		
	

	

	
			
				
		
		
			
		
		
		Level 4
		
		
		
		
		
	
			
		

		
			
					
		

			Level 4
		

	
				
		
	
		

	
	

	
		
			
					
		
	
				
		
	
	


		

			

	
		
			
	
	

		

			

				

					
	

				

			

		

	



		
			
					
		

			
    

	
		
		
		‎01-17-2011
	
		
		01:06 AM
	
	

	
	
	
	
	
	
	
	
	
	
	
	

		

	
				
		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Very useful guide.

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			

	
		
			
					
				
		
	
	


		

			
		

	

		

			

	
		
			
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	


                    
                
					

				

			

		

		
 

	



			
            
		
		
	
	


		

			

	
		

			
		
			
 
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


 

		
	
		

	
	

	
		
				

        

	


		
			
 
 

		
			
		
			

		
			



  

    

      

        

          
Customers Also Viewed These Support Documents