tags:

views:

2804

answers:

2
+2  Q: 

LDAP: using a filter to avoid a sub OU in Active Directory

I have an application that pulls user information from an OU in Active Directory. The parameters it takes are a base for the search and a filter string.

I have an OU I want to pull information from, but there is a sub OU I want to avoid:

Wanted: users from OU=People,DC=mydomain,DC=com Not Wanted: users from OU=Evil,OU=People,DC=mydomain,DC=com

I know that this could be done by rewriting the application performing teh import to stop it searching sub-OUs, but is there any way to do this with an LDAP filter on the search? Something like (DistinguishedName !contains "Evil") or similar that will let me exclude users based on the path to the user, rather than filtering on a property of the user.

A: 

What user are you binding as? Why not modify the rights of that user to block its ability to read users in the OU=evil container?

geoffc  2009-07-09 00:49:54
That will become a problem for ongoing management, tracking which user accounts can read which OUs; if possible I'd like to do this without having to recode the import tool (that will have a big delay because the requried people are not currently available) or implementing a special workaround (such as a post-import stored procedure that deletes the entries from the DB) and stick to the current config, where the LDAP search filter needs to do the restrictions.
DrStalker  2009-07-09 01:30:57
+2  A: 

Well, I'm not entirely sure what you're after but if you use the filter (!(distinguishedName=*,OU=Evil,OU=People,DC=mydomain,DC=com)) along with a Subtree search scope then you won't get any users from the "Evil"-sub-OU returned. However, the entire Evil-sub-OU will still be searched (generally not a problem because of fast LDAP search response times though).

If you're using System.DirectoryServices(.Protocols) in .NET you could also set the SearchScope to OneLevel to only search in the People-OU (and no child-OUs). But that won't work if you have any "OU=Good,OU=People,DC=mydomain,DC=com"...

The third option would be to query the People-OU for all sub-OU:s (objectClass=organizationalUnit) and then issue multiple search requests; one for each of them (except the "Evil" one).

Edit: @geoffc - that will be really difficult to implement. By default all authenticated users have read access to all objects in Active Directory. Just setting a "Deny Read" on the Evil OU won't do the trick because the read right for authenticated users is set on the individual user object (in this case) and thus has precedence over the Deny ACL set on the OU. You will essentially have to set the Deny Read ACL on each of the objects in the Evil-OU and always make sure new objects added to the directory get the same Deny rights set. You could edit the Active Directory schema and remove the rights for Authenticated Users but that will break a lot of other things (including Exchange) and is not supported by Microsoft.

Per Noalt  2009-07-12 20:08:47
A for effort, but wildcard searches don't work with data of type `DN`, in particular `distinguishedName`.
Anton Tykhyy  2010-04-26 16:07:19

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?