LDAP filter for GAL external Active Directory to exclude admins group

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
gibengy
Posts: 3
Joined: Mon Mar 26, 2018 10:09 am

LDAP filter for GAL external Active Directory to exclude admins group

Post by gibengy »

Hi, I'm trying to set up external active directory GAL on zimbra 8.8.7; My current working filter is

Code: Select all

(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
autocomplete filter is

Code: Select all

(|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))
LDAP search base

Code: Select all

dc=sub,dc=domain,dc=com
search and autocomplete return all AD users, including admin accounts. What is a correct way to exclude administrators group from ldap search?
the accounts I need to exclude are in OU "Admins" and are members of couple of groups like Buildin "Administrators" and users "Domain Admins", "Enterprise admins", etc
I've tried adding (&(objectCategory=group)(!cn=*Admin*) but it doesn't seem to be valid.
Top
gibengy
Posts: 3
Joined: Mon Mar 26, 2018 10:09 am

Re: LDAP filter for GAL external Active Directory to exclude admins group

Post by gibengy »

up?
ok, can anyone just share their ldap filters for Active Directory GAL so I might have some working examples and figure it out myself? :)
Top
Jordack
Posts: 34
Joined: Sat Sep 13, 2014 2:15 am

Re: LDAP filter for GAL external Active Directory to exclude admins group

Post by Jordack »

I know this wont be super helpful but just a thought.

I do not use LDAP for GAL in zimbra, but I use it a lot in other systems. They always return things you may not want.

Couple of thoughts:

Put your admin accounts in another OU that is above your search base OU. Often this doesn't make much sense.

Most of the time I use group memberships. adding the requirement of "MemberOf=CN=Zimba-GAL,dc=sub,dc=domain,dc=com" to your search query will only allow it to return members of that AD group.

The catch, you have to remember to add people to the group when you create their account. Since I manage nearly everything by group memberships its easy for me to remember

If you really want to try to just exclude a group, try (!MemberOf=*Admin*), your not really search for groups, your searching for people.
Top
Post Reply

Return to “Administrators”