I'm trying to pull out a list of users from Active Directory with LDAP. I want to get all users from multiple OUs and I'm struggling to get results.
In an attempt to simplify things, I tried setting a single OU as the base DN and just filtering to get user objects :
ldapsearch -b "OU=Company Users,OU=Users,OU=UK,OU=Helpdesk,DC=ad,DC=company,DC=com" '(objectClass=user)'
This successfully returns lots of users. However, if I move some of the elements from the base DN to the filter, I get no results at all..
ldapsearch -b "DC=ad,DC=company,DC=com" '(&(objectClass=user)(OU=Company Users)(OU=Users)(OU=UK)(OU=Helpdesk))'
Aren't these two queries essentially the same?
Am I being daft? (no doubt, there)
They are not the same.
From ywhat you related, you want:
ldapsearch -b "OU=Company Users,OU=Users,OU=UK,OU=Helpdesk,DC=ad,DC=company,DC=com" '(objectClass=user)'
The baseDN
OU=Company OU=Users,OU=Users,OU=UK,OU=Helpdesk,DC=ad,DC=company,DC=com
represents a branch in the "tree" structure.
The
(OU=Company Users)(OU=Users)(OU=UK)(OU=Helpdesk)
Represents attributes on the user entries and I doubt that anyone populated the attributes.
It is unfortunate that Microsoft Active Directory does not support the "normal" "ExtensibleMatch" filters.
Let me know how I can help.