Common LDAP search strings used with the ILST

Features and Functionality
Last Updated:
July 28, 2022
by
Jesse Langstaff
| Version: 12
| 3,966 views
| 1 follower
 
members are following updates on this item.
Last Updated:
July 28, 2022
by
Jesse Langstaff
| Version: 12
3,966
1
 
members are following updates on this item.
Publication details
Published
on
December 21, 2016
by
Ryan Consell
Enterprise AdministrationMember Management

This article highlights some commonly used <SearchString> filters that you can use when constructing LDAP search queries for the ILST. Although shown individually, you can combine these filters to make more complex queries. 

Sections in this article:   

Select all users in an OU

You cannot specify an OU in an LDAP search query. Instead, identify the OU in your <BaseDN>.

Here's an example of identifying the employees OU in the <BaseDN>:

<SearchString>(&amp;(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</SearchString
<BaseDN>OU = employees, OU=Users,DC=company,DC=com</BaseDN>

Select the immediate users of a group

You can sync the immediate users of a group by including a memberOf filter in your <SearchString>. Users of groups nested under this one will not be returned.

Here's an example query that includes a filter for the immediate users of the CaptainPlanet  group:

<SearchString>(&amp;(objectclass=user)(mail=*)(memberOf=CN=CaptainPlanet,OU=groupsOU,DC=company,DC=com))</SearchString>

Select the users of a group and all nested groups

You can sync all users of a group, including the users of all nested groups, by including the LDAP chain matching rule OID of 1.2.840.113556.1.4.1941 in the memberOfilter of your <SearchString>

Here's an example query that includes a filter for all users of the CustomerExperience  group and its nested groups: 

<SearchString>(&amp;(objectclass=user)(mail=*)(memberof:1.2.840.113556.1.4.1941:=CN=CustomerExperience,OU=groupsOU,DC=x))
</SearchString>

Select users based on attribute values

You can select users based on attribute values by using the attribute name and desired value in your <SearchString>.

Here's an example query that includes a filter for users with a value of Manager in their Title attribute:

<SearchString>(&amp;(objectclass=user)(mail=*)(Title=Manager))</SearchString>

Exclude deactivated users

You can exclude deactivated users by including the userAccountControl filter in your <SearchString>. You should include this filter in all search queries to ensure deactivated users aren't returned.

Here's an example query that includes a filter for deactivated users:

<SearchString>(&amp;(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</SearchString>

Related Content (3)

  • Igloo LDAP Sync Tool (ILST)
    /support/knowledgebase/all_articles/articles/igloo_ldap_sync_tool
    Wiki
    published
    December 23, 2013
    by
    Kayleigh LeBlanc
    The Igloo LDAP Sync Tool (ILST) is an Igloo-developed application that automatically syncs users from one or more LDAPv3-supported data sources (e.g., Microsoft Active Directory, Azure AD) to your dig…
  • ILST configuration reference guide
    /support/knowledgebase/all_articles/articles/ilst_configuration_reference_guide
    Wiki
    published
    May 9, 2022
    by
    Jesse Langstaff
    The following sections and tables describe the elements of the ILST configuration file and their typical values.  For step-by-step instructions on configuring the ILST, see Configuring the ILST.Sectio…
  • Configuring the ILST
    /support/knowledgebase/all_articles/articles/configuring_the_ilst
    Wiki
    published
    November 5, 2021
    by
    Jesse Langstaff
    This article will teach you how to configure the ILST to sync users from one or more LDAP-supported data sources (e.g.,  Microsoft Active Directory, Azure AD) to your digital workplace. If you don't k…
Load MoreHide
Viewed 3,966 times