question

Frans S. avatar image
Frans S. asked ·

LDAP CSS: Multiple or more OU matches for users

Hi, I am not sure whether this is a configuration issue, bug, or an enhancement request:

We have a customer with AD/LDAP on which we have connected the CSS for user authentication.

The main user (cn) credentials are in ou=Users, o=Customer. So apparently this ou is on top level.

There are special account we would like to grant access as well. A certain group resides in

ou=Users,ou=e-Directory,ou=Services,o=Customer

Also a Users ou, but in another branch.

I can not figure out how to combine this in CSS. In the User Settings Search base, I can not combine (with OR) the DN's. And CSS apparently does not retrieve from all ou's named Users.

I I use the Softerra LDAP browser, I can do a Directory Search with Search DN: ou=Users, and it will return users from any/both Users ou's. CSS does not.

If I change the User search base to ou=Services instead of Users, it will find the users in ou=Users,ou=e-Directory,ou=Services,o=Customer

Is it possible to use two or more locations somehow?

Or how do I specify to search from top level? Apparantly I can not use o=Customer as search base:
LDAP error when performing search: Unable to complete LDAP query, error in name/search base.

Actually CSS should find users from all ou=Users occurances, just like Softerra does. That might be an enhancement request.

Current settings:

LDAP server type: Other

Search settings
LDAP server type: o=Customer

Group Settings

  • Search base: ou=AccessControl
  • Search filter: (&({0}={1})(objectClass=groupOfNames))

    Group attribute mappings
    • Group name: cn
    • Description: description

User Settings:

  • Search base: ou=Users
  • Search filter: (&(uid={0})(objectClass=Person))
  • User attribute mappings
  • Username: uid
  • Email address: mail
  • First name: cn
  • Last name: sn

User group membership

  • search filter: (member={0})
  • search base: ou=AccessControl

Test search on username in second ou:

LDAP error when performing search: Could not find LDAP user with username: [specialuser] with LDAP URL: [ldaps://ldap.customer.org:636/o=customer], with usernameAttribute: [uid] and userSearchBase: [ou=Users].

css
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

1 Answer

Adam P. avatar image
Adam P. answered ·

Please take a look at LDAP doc page that says:

If you leave User search base empty, user searches will look under the sub-tree set by Base DN.

I hope that will resolve searching problem in many branches.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.