AD user search filter syntax for “all users in a specified OU DN path”

[Reed Villanueva <rv...@ucera.org>]

What is the search filter syntax for "all users under the given OU DN"?
Looking at the docs here (
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)
did not seem to answer this question (though am totally new to AD, so may
be here in another wording).

Use case is that I have an AD path
"OU=Users,OU=HortonworksUsers,DC=ucera,DC=local" under which there are
several person entries (ie. thier attribute objectClass OID is
"top;person;organizationalPerson;user"). I would like to add them to a
search filter (for Apache Ranger AD usersync
<https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.1/configuring-ranger-authe-with-unix-ldap-ad/content/ranger_ad_integration_ranger_usersync.html>),
but have only seen examples of filtering for a specified group, ie.
"memberOf=".

My current search filter, which does not work and in fact causes errors in
the usersync logs, looks like:

(|(memberOf=CN=admins,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)("memberOf=CN=Domain
Admins,CN=Users,DC=ucera,DC=local")
(OU=Users,OU=HortonworksUsers,DC=ucera,DC=local) )

Note the last segment of the filter string.

Can anyone with more AD experience let me know the right way to filter for
users under some arbitrary OU DN? Is it even possible (or do you have to
specify each user individually in this case)?

-- 
This electronic message is intended only for the named 
recipient, and may 
contain information that is confidential or 
privileged. If you are not the 
intended recipient, you are 
hereby notified that any disclosure, copying, 
distribution or 
use of the contents of this message is strictly 
prohibited. If 
you have received this message in error or are not the 
named
recipient, please notify us immediately by contacting the 
sender at 
the electronic mail address noted above, and delete 
and destroy all copies 
of this message. Thank you.

Re: AD user search filter syntax for “all users in a specified OU DN path”

[Reed Villanueva <rv...@ucera.org>]

" User Search Base: This property specifies the OU(s) path where the users
are located in AD. For your usecase it should be "
OU=Users,OU=HortonworksUsers,DC=ucera,DC=local". Just an FYI, ranger
usersync configuration supports specifying multiple OUs (with ";"
separated) for user search base.  "

This bit was particularly helpful, since did not know I could add multiple
specific search bases for syncing.

Thanks.

On Tue, Dec 10, 2019 at 12:05 PM Sailaja Polavarapu <
spolavarapu@cloudera.com> wrote:

> Hi Reed,
>  Ranger Usersync has few properties to be configured in order to filter
> users to be sync'd to Ranger.
> User Search Base: This property specifies the OU(s) path where the users
> are located in AD. For your usecase it should be "
> OU=Users,OU=HortonworksUsers,DC=ucera,DC=local". Just an FYI, ranger
> usersync configuration supports specifying multiple OUs (with ";"
> separated) for user search base.
> User object class: For your case the value should be "person"
> User Search filter: This property can be used to further filter out
> specific users under the configured user search base. For your usecase,
> since you want to sync all the users under the configured user search base,
> you can configure the value to be something like "cn=*".
>
> Please also take a look at this article for further explanation of some
> simple usecase:
>
> https://community.cloudera.com/t5/Community-Articles/Configuring-Ranger-Usersync-with-AD-LDAP-for-a-common/ta-p/245959
>
> - Sailaja.
>
> On Tue, Dec 10, 2019 at 12:04 PM Reed Villanueva <rv...@ucera.org>
> wrote:
>
>> What is the search filter syntax for "all users under the given OU DN"?
>> Looking at the docs here (
>> https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)
>> did not seem to answer this question (though am totally new to AD, so may
>> be here in another wording).
>>
>> Use case is that I have an AD path
>> "OU=Users,OU=HortonworksUsers,DC=ucera,DC=local" under which there are
>> several person entries (ie. thier attribute objectClass OID is
>> "top;person;organizationalPerson;user"). I would like to add them to a
>> search filter (for Apache Ranger AD usersync
>> <https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.1/configuring-ranger-authe-with-unix-ldap-ad/content/ranger_ad_integration_ranger_usersync.html>),
>> but have only seen examples of filtering for a specified group, ie.
>> "memberOf=".
>>
>> My current search filter, which does not work and in fact causes errors
>> in the usersync logs, looks like:
>>
>> (|(memberOf=CN=admins,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)("memberOf=CN=Domain
>> Admins,CN=Users,DC=ucera,DC=local")
>> (OU=Users,OU=HortonworksUsers,DC=ucera,DC=local) )
>>
>> Note the last segment of the filter string.
>>
>> Can anyone with more AD experience let me know the right way to filter
>> for users under some arbitrary OU DN? Is it even possible (or do you have
>> to specify each user individually in this case)?
>>
>> This electronic message is intended only for the named
>> recipient, and may contain information that is confidential or
>> privileged. If you are not the intended recipient, you are
>> hereby notified that any disclosure, copying, distribution or
>> use of the contents of this message is strictly prohibited. If
>> you have received this message in error or are not the named
>> recipient, please notify us immediately by contacting the
>> sender at the electronic mail address noted above, and delete
>> and destroy all copies of this message. Thank you.
>>
>

-- 
This electronic message is intended only for the named 
recipient, and may 
contain information that is confidential or 
privileged. If you are not the 
intended recipient, you are 
hereby notified that any disclosure, copying, 
distribution or 
use of the contents of this message is strictly 
prohibited. If 
you have received this message in error or are not the 
named
recipient, please notify us immediately by contacting the 
sender at 
the electronic mail address noted above, and delete 
and destroy all copies 
of this message. Thank you.

Re: AD user search filter syntax for “all users in a specified OU DN path”

[Sailaja Polavarapu <sp...@cloudera.com>]

Hi Reed,
 Ranger Usersync has few properties to be configured in order to filter
users to be sync'd to Ranger.
User Search Base: This property specifies the OU(s) path where the users
are located in AD. For your usecase it should be "
OU=Users,OU=HortonworksUsers,DC=ucera,DC=local". Just an FYI, ranger
usersync configuration supports specifying multiple OUs (with ";"
separated) for user search base.
User object class: For your case the value should be "person"
User Search filter: This property can be used to further filter out
specific users under the configured user search base. For your usecase,
since you want to sync all the users under the configured user search base,
you can configure the value to be something like "cn=*".

Please also take a look at this article for further explanation of some
simple usecase:
https://community.cloudera.com/t5/Community-Articles/Configuring-Ranger-Usersync-with-AD-LDAP-for-a-common/ta-p/245959

- Sailaja.

On Tue, Dec 10, 2019 at 12:04 PM Reed Villanueva <rv...@ucera.org>
wrote:

> What is the search filter syntax for "all users under the given OU DN"?
> Looking at the docs here (
> https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)
> did not seem to answer this question (though am totally new to AD, so may
> be here in another wording).
>
> Use case is that I have an AD path
> "OU=Users,OU=HortonworksUsers,DC=ucera,DC=local" under which there are
> several person entries (ie. thier attribute objectClass OID is
> "top;person;organizationalPerson;user"). I would like to add them to a
> search filter (for Apache Ranger AD usersync
> <https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.1/configuring-ranger-authe-with-unix-ldap-ad/content/ranger_ad_integration_ranger_usersync.html>),
> but have only seen examples of filtering for a specified group, ie.
> "memberOf=".
>
> My current search filter, which does not work and in fact causes errors in
> the usersync logs, looks like:
>
> (|(memberOf=CN=admins,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)("memberOf=CN=Domain
> Admins,CN=Users,DC=ucera,DC=local")
> (OU=Users,OU=HortonworksUsers,DC=ucera,DC=local) )
>
> Note the last segment of the filter string.
>
> Can anyone with more AD experience let me know the right way to filter for
> users under some arbitrary OU DN? Is it even possible (or do you have to
> specify each user individually in this case)?
>
> This electronic message is intended only for the named
> recipient, and may contain information that is confidential or
> privileged. If you are not the intended recipient, you are
> hereby notified that any disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If
> you have received this message in error or are not the named
> recipient, please notify us immediately by contacting the
> sender at the electronic mail address noted above, and delete
> and destroy all copies of this message. Thank you.
>