LDAP query based on roles assigned or NOT assigned

 5 Replies
 1 Subscribed to this topic
 27 Subscribed to this forum
Sort:
Author
Messages
TBonney
Veteran Member Send Private Message
Posts: 281
Veteran Member

Can anyone tell me how to do a query to identify any users that DO NOT have a particular role assigned?

We use Softerra LDAP Browser and I already have queries that identify all user that DO HAVE a particular role assigned. However, when trying to identify those who are missing a designated role that all users should have, I can not get it to work.

I am using the syntax: zzlwsnattrRole=RoleXYZ to find someone with a designated role assigned. But if I change that syntax to (!(zzlwsnattrRole=RoleXYZ)) it returns all users, instead of only those who do not have RoleXYZ assigned.

I can't figure out how to do this and need to identify users that do not have a certain group of roles assigned for our auditors.

Please help if you have figured out how to do this in Softerra! Thank you kindly!!

Kwane McNeal
Veteran Member Send Private Message
Posts: 479
Veteran Member
What LDAP product and version are you using?

Is the query you have posted here, the entire query you are using?
TBonney
Veteran Member Send Private Message
Posts: 281
Veteran Member
Softerra LDAP Browser 4.5.

Complete Query is as follows:
Search DN: OU=resources,O=lwsnrmdata,CN=lwsn,DC=mvn,DC=local
Filter: zzlwsnattrRole=RoleXYZ
Attributes: lwsnssoListOfIDs,lwsnssoAllAttrValueList
Kwane McNeal
Veteran Member Send Private Message
Posts: 479
Veteran Member
I'm surprised you get anything back, actually. The lwsnsso* attributes aren't on anything in ou=resources. The LDAP Server must just be ignoring those...

Also, when I asked about LDAP product, I should have been more clear to state I was looking for info on the Server components.

Kwane McNeal
Veteran Member Send Private Message
Posts: 479
Veteran Member
On the surface, your attempted negation query should work.
I would remove the attributes you're looking for, since those aren't on anything in ou=respurces, and replace it with just 'cn'

I'd make sure the search scope is 'one' (not 'base' or 'sub')

Depending on server and how many users, you may need a paged search enabled...

TBonney
Veteran Member Send Private Message
Posts: 281
Veteran Member
Thank you Kwane! It looks like using 'one' instead of sub-tree level and changing to 'cn' only in the attributes is returning the results I am looking for. Thanks for you help.