LDAP query based on roles assigned or NOT assigned

 5 Replies
 1 Subscribed to this topic
 27 Subscribed to this forum
Sort:
Author
Messages
TBonney
Veteran Member
Posts: 281
Veteran Member

Can anyone tell me how to do a query to identify any users that DO NOT have a particular role assigned?

We use Softerra LDAP Browser and I already have queries that identify all user that DO HAVE a particular role assigned. However, when trying to identify those who are missing a designated role that all users should have, I can not get it to work.

I am using the syntax: zzlwsnattrRole=RoleXYZ to find someone with a designated role assigned. But if I change that syntax to (!(zzlwsnattrRole=RoleXYZ)) it returns all users, instead of only those who do not have RoleXYZ assigned.

I can't figure out how to do this and need to identify users that do not have a certain group of roles assigned for our auditors.

Please help if you have figured out how to do this in Softerra! Thank you kindly!!

Kwane McNeal
Veteran Member
Posts: 479
Veteran Member
What LDAP product and version are you using?

Is the query you have posted here, the entire query you are using?
TBonney
Veteran Member
Posts: 281
Veteran Member
Softerra LDAP Browser 4.5.

Complete Query is as follows:
Search DN: OU=resources,O=lwsnrmdata,CN=lwsn,DC=mvn,DC=local
Filter: zzlwsnattrRole=RoleXYZ
Attributes: lwsnssoListOfIDs,lwsnssoAllAttrValueList
Kwane McNeal
Veteran Member
Posts: 479
Veteran Member
I'm surprised you get anything back, actually. The lwsnsso* attributes aren't on anything in ou=resources. The LDAP Server must just be ignoring those...

Also, when I asked about LDAP product, I should have been more clear to state I was looking for info on the Server components.

Kwane McNeal
Veteran Member
Posts: 479
Veteran Member
On the surface, your attempted negation query should work.
I would remove the attributes you're looking for, since those aren't on anything in ou=respurces, and replace it with just 'cn'

I'd make sure the search scope is 'one' (not 'base' or 'sub')

Depending on server and how many users, you may need a paged search enabled...

TBonney
Veteran Member
Posts: 281
Veteran Member
Thank you Kwane! It looks like using 'one' instead of sub-tree level and changing to 'cn' only in the attributes is returning the results I am looking for. Thanks for you help.