Solved: Re: CUP LDAP search string

mikeduffy13 · ‎03-19-2010

So I am wondering if there is a way I can set a search string on my CUP server to filter out accounts that I don't want to show up in the CUPC directory. We have a lot of admin accounts, distribution groups, etc that all show up. I only want accounts with actual mail address to show up. This is what I have right now for my LDAP Profile Configuration:

Bind Distinguished Name (DN) - CN=SRVUCLOOKUPAD,OU=Service Accounts,DC=NMDP,DC=ORG

Search Context - DC=NMDP,DC=ORG

htluo · ‎03-20-2010

You could. All you need to do is to use # sign to separate different OUs. For example, set the search base to the following:

OU=Sales,DC=acme,DC=com#OU=Support,DC=acme,DC=com

This is supported on CUPC 7.0.2 and above.

You may find more details on http://www.lulu.com/content/5552336.

Michael

View solution in original post

Aaron Harrison · ‎03-19-2010

Hi

Your searches bind to AD with a specific username, so you could just deny read access to the OUs you want to filter out to that SRVUCLOOKUPAD account.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

mikeduffy13 · ‎03-19-2010

So outside of a permissions change, is there anything that would work?

They way our AD environment is setup, that would be pretty messy...

Aaron Harrison · ‎03-19-2010

Hi

Probably not.

You can filter based on perms, and can filter based on Base OU.

I'm not aware of a way to change the stock filters...

If your AD is really not set up to allow neat searches it might want a rethink...

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

mikeduffy13 · ‎03-19-2010

Understood. I guess what I was trying to get at is whether or not you can specify multiple OU's in the Search Context? But it sounds like you are saying that isn't possible either?

Aaron Harrison · ‎03-19-2010

Hi

Not as far as I'm aware - you assign one search base to a profile, and one profile to each user... so there's nowhere to add multiples.

The online help for the page confirms this.

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

htluo · ‎03-20-2010

You could. All you need to do is to use # sign to separate different OUs. For example, set the search base to the following:

OU=Sales,DC=acme,DC=com#OU=Support,DC=acme,DC=com

This is supported on CUPC 7.0.2 and above.

You may find more details on http://www.lulu.com/content/5552336.

Michael

Aaron Harrison · ‎03-21-2010

Hi Micheal

I stand corrected

More stunningly concise and up to date documentation for this product from Cisco sigh..

+5

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

mikeduffy13 · ‎03-22-2010

Great! This worked perfectly. Thanks Michael!

Yorick Petey · ‎09-28-2010

Hi Michael,

Is it possible to use in the same time "#" and a LDAP filter in CUP8?

I have multiple OU to search into, so I use # to separate the ldap paths.

I would like to use a LDAP filter to discard computer object from AD: ";&(!objectClass=computer)".

When I use one of them, it works great, but when I try to use both tricks in the LDAP search context value, the LDAP search does not work anymore (the second LDAP path is ignored):

OU=Users1,DC=company,DC=local#OU=Users2,DC=company,DC=local;&(!objectClass=computer)

Is there a trick or a known limitation to do so?

Thank you for your help.

Yorick