How to Exclude an OU in an LDAP search

  • 7100005
  • 02-Mar-2011
  • 07-Aug-2013


NetIQ Access Governance Suite


Unfortunately LDAP does not support substring searches on DNs.
A substring search on the LDAP query won't work, like searching
for "(!distinguishedName=*ou=speciallist,dc=example,dc=com)".

LDAP doesnot "exclude" results inside the searchDN itself.
LDAP searches start at the searchDN and returns either
just that entry, just that entry's "children", or the
entry's subtree (based on the search scope).


To exclude entries from a search, you either
restrict the searchDN or filter the results.

There is a "internal" application attribute
to configure multiple searchDNs in an AD,LDAP connector.
If present, then this attribute overrides the "visible"
searchDN attribute.

<entry key="searchDNs">
<entry key="searchDN" value="ou=unittest1,DC=test,DC=sailpoint,DC=com"/>
<entry key="searchScope" value="SUBTREE"/>
<entry key="searchDN" value="ou=unittest2,DC=test,DC=sailpoint,DC=com"/>
<entry key="searchScope" value="SUBTREE"/>
<entry key="searchDN" value="ou=unittest3,DC=test,DC=sailpoint,DC=com"/>
<entry key="searchScope" value="SUBTREE"/>

Filtering the results, via a substring to compare the results,
removes those users whose DN contains the OU in question.
Per ETN 3933, the "iterateSearchFilter" attribute values use
a prefix notation to signify the object type (account vs group).
The value must be added thru the "debug" edit object page:

<entry key="account.iterateSearchFilter" value="(&amp;(objectClass=User)(!(|(ou:dn:=skipOU1)(ou:dn:=skipOU2)(ou:dn:=skipOU3)...(ou:dn:=skipOUn)))"/>

FYI, the example comes from a web "tutorial" on ldap filtering: