×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Search Filter for TMS AD integration

Answered Question
Jun 13th, 2012
User Badges:

We are provisioning Jabber video/Movi in TMS. We are unable to pull users defined by a group Policy.


This is how the AD structure Looks like, were we need to pull the users.


CN=U_VideoConferencing_Clients,OU=Video Conferencing,DC=local,DC=xyz


We have an OU with Video Conferencing in which there is a group policy called U_VideoConferencing_Clients. Any  users created in the OU Video Conferencing, TMS is able to see after integration. But any users defined by the group policy U_VideoConferencing_Clients inside OU Video Conferencing is not being pulled by TMS.


Read in the documents a search filter is requred to add these users. Anyone have any idea on the search filter to be used?

Correct Answer by Zachary Colton about 5 years 2 months ago

Jilfer,


For the source configuration, you would want to configure the Base DN of DC=xyz,DC=local. The Relative Search DN would be the rest of the AD structure where all of the user accounts would fall. If all of the users are in an OU=Users (or a sub-OU or folder thereof) that exists at the root of you domain, the Relative Search DN would be OU=Users. How this works is that the ldap query that is ran against AD will find all users in OU=Users,DC=xyz,DC=local that are a member of what is defined in the memberOf search filter.

I also just noticed something else from what ou have posted. is you domain local.xyz or xyz.local? If it is xyz.local, the end of the strings would be DC=xyz,DC=local. This include the memberOf string.


Zac

Correct Answer by Magnus Ohm about 5 years 2 months ago

Hey jilfersalam


Are you able to import the users using this searchfilter?


(&(objectClass=user)(memberOf=CN=U_VideoConferencing_Clients,OU=Video Conferencing,DC=local,DC=xyz))


/Magnus

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Zachary Colton Wed, 06/13/2012 - 14:12
User Badges:
  • Cisco Employee,

jilfersalam,


I'm a little unclear of your AD tree. Is U_VideoConferencing_Clients a folder or a security group? From the sounds of it, it seems it is a security group. For the AD search, the Base DN and Relative Search DN with describe the actual location of the user accounts. If you then want to filter the list of those users to only be the users that are member of a specific security group, you would then add a search filter of something like memberOf=CN=U_VideoConferencing_Clients,OU=Video Conferencing,DC=local,dc=xyz. The location of where the security group resides in AD does not matter. You will just need to make sure that the full path of its actual location is correct in the string for the memberOf filter. For example, if you have an OU off your root that contains your security groups call "Security Groups", the memberOf would equal CN=U_VideoConferencing_Clients,OU=Security Groups,DC=local,DC=xyz.


Zac

jilfersalam Wed, 06/13/2012 - 14:22
User Badges:

Hello Zac


Thank You for the reply.



Yes, it is a security group. As per the system admin, the Security Group is called U_VideoConferencing_Clients, which resides in the OU Video Conferencing, So the syntax we gave for the search filter was exatly what u mentioned,

memberOf=CN=U_VideoConferencing_Clients,OU=Video Conferencing,DC=local,dc=xyz


But it was not pulling the users in the Security Group, is there anything additional we need to give?

Correct Answer
Magnus Ohm Wed, 06/13/2012 - 14:28
User Badges:
  • Cisco Employee,

Hey jilfersalam


Are you able to import the users using this searchfilter?


(&(objectClass=user)(memberOf=CN=U_VideoConferencing_Clients,OU=Video Conferencing,DC=local,DC=xyz))


/Magnus

Marnus van der Nest Tue, 08/01/2017 - 01:23
User Badges:

Hi Guys, 


I want to revive this post as I ma having issues and cant import contacts using this method as well. I am using LDAP string 

OU=Resources,OU=Users,OU=Johannesburg,OU=Corporate,DC=South32,DC=Net

test is okay, but contacts not importing. Trying to import Meeting rooms only. Which is located in the Resources OU

Patrick Sparkman Tue, 08/01/2017 - 08:11
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 TelePresence

The easiest solution is to have your meeting rooms be a member of a group, and simply import that group using a search filter similar to Mangus' reply.

Zachary Colton Wed, 06/13/2012 - 14:32
User Badges:
  • Cisco Employee,

jilfersalam,


What is the configuration of the Base DN and Relative Search DN? Do all of the user accounts that are a member of the security group exist in that path?


Zac

jilfersalam Wed, 06/13/2012 - 14:40
User Badges:

Hello Magnus


I will try out the search filter once i am on site and update you guys.


Zac,

Base DN xyz.local is the root of the AD, the actual users might be in an OU called users. I am not very good on AD side, if you can ellobrate your question, i can get back to you it once i discuss it with the system admins once i am on site.


thanks


Jilfer

Correct Answer
Zachary Colton Wed, 06/13/2012 - 15:04
User Badges:
  • Cisco Employee,

Jilfer,


For the source configuration, you would want to configure the Base DN of DC=xyz,DC=local. The Relative Search DN would be the rest of the AD structure where all of the user accounts would fall. If all of the users are in an OU=Users (or a sub-OU or folder thereof) that exists at the root of you domain, the Relative Search DN would be OU=Users. How this works is that the ldap query that is ran against AD will find all users in OU=Users,DC=xyz,DC=local that are a member of what is defined in the memberOf search filter.

I also just noticed something else from what ou have posted. is you domain local.xyz or xyz.local? If it is xyz.local, the end of the strings would be DC=xyz,DC=local. This include the memberOf string.


Zac

jilfersalam Thu, 06/14/2012 - 00:02
User Badges:

Hello Zac,


Thanks for taking time in explaining it. As you mentioned, we were not configuring the correct releative search DN. Once we gave the correct relative search DN , together with the search filter that magnus posted, i was able to pull all the users defined by the security group.


Thank you guys for the support.



Jilfer

Actions

This Discussion