"objectclass not equal to" is not working

2018-06-21 16:23:57

I am working with LDAP Active Directory and trying to list all users. I have this filter which works perfect:

(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))

Unfortunately, we have also a computer units and other devices present in AD with objectclass "user" so with previous filter I got all users, computers, devices, rooms, etc.

These computer and devices have also an objectclass "computer" so I need to extend the filter with objectclass!="computer" in order to list only real users. So far I'd tried these filters, none of them working (no data returned!):

(&(objectclass=user)(!objectclass=computer)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(&(objectclass=user)(!(objectclass=computer))(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(!(objectclass=computer))(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(!objectclass=computer)(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))

(real users do not have the objectclass "computer").

I am working with PHP ldap implementation so using an ldap_search() method.

The "not equal to" syntax was found eg here: http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx or here: http://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx

Maybe I could try to filter users where (!CN=Computers) in DN, but first I'd like to filter (!objectclass=computer) as it is more logical for me.

What is the correct syntax for objectclass != "computer" expression?

Contrary to the first link you provided, (!objectclass=computer) is not a valid filter expression. It should be (!(objectclass=computer)) . See RFC 2254:

filter ::= "(" filtercomp ")"

not ::= "!" filter

So your filter should be

(&(!(objectclass=computer))(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))

If you are trying to get all users, you could just do this:

(&
   (objectclass=user)
   (!(objectClass=computer))
)

It looks like you're trying to get users who are members of specific groups AND who have a specified principalname (right?). If so, you could do:

(&
    (objectclass=user)
    (!(objectClass=computer))
    (|
        (userPrincipalName=username@domain.com)
        (displayName=John Doe)
    )
    (|
        (memberOf=CN=group1,CN=Groups,DC=domain,DC=com)
        (memberOf=CN=group2,CN=Groups,DC=domain,DC=com)
    )
)

These work on my end (you may need to remove whitespace in you PHP code)

链接地址: http://www.djcxy.com/p/60880.html

上一篇: 什么是一个好的Ldap ObjectClass用来存储用户和它的成员资格

下一篇: “objectclass不等于”不起作用