LDAP everything except 1 OU

Geosoft_ironport · ‎06-15-2009

Hi There,

I need a little assistance again after encountering a spam mail actually emailed one of our distribution group. Is there way to setup an LDAP query to work on every email address except for 1 OU (such as "Distribution Group" OU.)

Even a filter would be a nice workaround if anyone can offer some advice.

steven_geerts · ‎06-16-2009

Hello,

I have no Ironport example but I think you manage to add the Ironport specific stuff to it yourself.

A few examples:
This one does what you ask for. It includes all objects with “objectclass=person" and any value in the "mail=" attribute. except if the object is in a container that is named exludedUsers1 (anywhere in your directory)


(&
  (objectclass=person)
  (mail=*)
  (!(ou:dn:=excludedUsers1))
)

The same but that with three excluded OU's


(&
  (objectclass=person)
  (mail=*)
  (!(ou:dn:=excludedUsers1))
  (!(ou:dn:=excludedUsers2))
  (!(ou:dn:=excludedUsers3))
)

And the other way around, only is a user is in a container named " includerUsers1


(&
  (objectclass=person)
  (mail=*)
  (ou:dn:=includedUsers1)
  )

And to make it complete the same as the previous with multiple included ou’s.


(&
  (objectclass=person)
  (mail=*)
  (|
    (ou:dn:=includedUsers1)
    (ou:dn:=includedUsers2)
    (ou:dn:=includedUsers3)
  )
)

These filters all take the complete DN and analyze it to see if there is a matching container in this DN.
This means (with the first example) that the objects in the container "/o=org,dc=dc1,ou=excludedUsers1" are excluded but also the objects in the container "/o=org,dc=dc2,ou=excludedUsers1"
If you want you can be more explicit in defining the path to exclude or include but I have no examples present for the moment.
If you really want I can find it out for you.

Note: for readability I formatted the filters over a few lines, you can simply remove all spaces and line brakes to place it in your single line searchfilter field in the GUI.

Good luck!

Steven