Prev
Next
Forums Infor / Lawson Platforms S3 Systems Administration

LDAP query based on roles assigned or NOT assigned

 5 Replies
 1 Subscribed to this topic
 27 Subscribed to this forum
Sort:
Author
Messages
TBonney
Veteran Member
Posts: 281
Veteran Member
6/12/2015 1:35 PM

    Can anyone tell me how to do a query to identify any users that DO NOT have a particular role assigned?

    We use Softerra LDAP Browser and I already have queries that identify all user that DO HAVE a particular role assigned. However, when trying to identify those who are missing a designated role that all users should have, I can not get it to work.

    I am using the syntax: zzlwsnattrRole=RoleXYZ to find someone with a designated role assigned. But if I change that syntax to (!(zzlwsnattrRole=RoleXYZ)) it returns all users, instead of only those who do not have RoleXYZ assigned.

    I can't figure out how to do this and need to identify users that do not have a certain group of roles assigned for our auditors.

    Please help if you have figured out how to do this in Softerra! Thank you kindly!!

    Kwane McNeal
    Veteran Member
    Posts: 479
    Veteran Member
    6/12/2015 1:57 PM
      What LDAP product and version are you using?

      Is the query you have posted here, the entire query you are using?
      TBonney
      Veteran Member
      Posts: 281
      Veteran Member
      6/12/2015 2:10 PM
        Softerra LDAP Browser 4.5.

        Complete Query is as follows:
        Search DN: OU=resources,O=lwsnrmdata,CN=lwsn,DC=mvn,DC=local
        Filter: zzlwsnattrRole=RoleXYZ
        Attributes: lwsnssoListOfIDs,lwsnssoAllAttrValueList
        Kwane McNeal
        Veteran Member
        Posts: 479
        Veteran Member
        6/12/2015 2:22 PM
          I'm surprised you get anything back, actually. The lwsnsso* attributes aren't on anything in ou=resources. The LDAP Server must just be ignoring those...

          Also, when I asked about LDAP product, I should have been more clear to state I was looking for info on the Server components.

          Kwane McNeal
          Veteran Member
          Posts: 479
          Veteran Member
          6/12/2015 2:25 PM
            On the surface, your attempted negation query should work.
            I would remove the attributes you're looking for, since those aren't on anything in ou=respurces, and replace it with just 'cn'

            I'd make sure the search scope is 'one' (not 'base' or 'sub')

            Depending on server and how many users, you may need a paged search enabled...

            TBonney
            Veteran Member
            Posts: 281
            Veteran Member
            6/12/2015 2:54 PM
              Thank you Kwane! It looks like using 'one' instead of sub-tree level and changing to 'cn' only in the attributes is returning the results I am looking for. Thanks for you help.