Environment
NetIQ Access Governance Suite
Situation
How to Exclude an OU in an LDAP search
Resolution
Unfortunately LDAP does not support substring searches on DNs. A substring search on the LDAP query won't work, like searching
for "(!distinguishedName=*ou=speciallist,dc=example,dc=com)".
for "(!distinguishedName=*ou=speciallist,dc=example,dc=com)".
LDAP doesnot "exclude" results inside the searchDN itself. LDAP searches start at the searchDN and returns either just that entry, just that entry's "children", or the entry's subtree (based on the search scope). To exclude entries from a search, you either restrict the searchDN or filter the results.
There is a "internal" application attribute to configure multiple searchDNs in an AD,LDAP connector. If present, then this attribute overrides the "visible" searchDN attribute.
<entry key="searchDNs">
<value>
<List>
<Map>
<entry key="searchDN" value="ou=unittest1,DC=test,DC=sailpoint,DC=com"/>
<entry key="searchScope" value="SUBTREE"/>
</Map>
<Map>
<entry key="searchDN" value="ou=unittest2,DC=test,DC=sailpoint,DC=com"/>
<entry key="searchScope" value="SUBTREE"/>
</Map>
<Map>
<entry key="searchDN" value="ou=unittest3,DC=test,DC=sailpoint,DC=com"/>
<entry key="searchScope" value="SUBTREE"/>
</Map>
</List>
</value>
</entry>
Filtering the results, via a substring to compare the results, removes those users whose DN contains the OU in question. Per ETN 3933, the "iterateSearchFilter" attribute values use a prefix notation to signify the object type (account vs group). The value must be added thru the "debug" edit object page:
<entry key="account.iterateSearchFilter" value="(&(objectClass=User)(!(|(ou:dn:=skipOU1)(ou:dn:=skipOU2)(ou:dn:=skipOU3)...(ou:dn:=skipOUn)))"/>