Hello,
I have no Ironport example but I think you manage to add the Ironport specific stuff to it yourself.
A few examples:
This one does what you ask for. It includes all objects with “objectclass=person" and any value in the "mail=" attribute. except if the object is in a container that is named exludedUsers1 (anywhere in your directory)
(&
(objectclass=person)
(mail=*)
(!(ou:dn:=excludedUsers1))
)
The same but that with three excluded OU's
(&
(objectclass=person)
(mail=*)
(!(ou:dn:=excludedUsers1))
(!(ou:dn:=excludedUsers2))
(!(ou:dn:=excludedUsers3))
)
And the other way around, only is a user is in a container named " includerUsers1
(&
(objectclass=person)
(mail=*)
(ou:dn:=includedUsers1)
)
And to make it complete the same as the previous with multiple included ou’s.
(&
(objectclass=person)
(mail=*)
(|
(ou:dn:=includedUsers1)
(ou:dn:=includedUsers2)
(ou:dn:=includedUsers3)
)
)
These filters all take the complete DN and analyze it to see if there is a matching container in this DN.
This means (with the first example) that the objects in the container "/o=org,dc=dc1,ou=excludedUsers1" are excluded but also the objects in the container "/o=org,dc=dc2,ou=excludedUsers1"
If you want you can be more explicit in defining the path to exclude or include but I have no examples present for the moment.
If you really want I can find it out for you.
Note: for readability I formatted the filters over a few lines, you can simply remove all spaces and line brakes to place it in your single line searchfilter field in the GUI.
Good luck!
Steven