Scan LDAP Paths

Scan LDAP Paths

The first step in creating an Active Directory profile is to choose which parts of your Active Directory you want to scan and monitor for changes. Each profile can scan multiple Active Directory locations, or organizational units (OU).

LDAP Paths

These are the locations in the Active Directory where HelpMaster will look for user accounts to create/synchronise. The paths here will vary depending on your domain structure, but may look something like this: OU=Recipients,DC=wizbangwidgets,DC=com…

These can be set easily using an Active Directory browsing dialog, or by typing in an LDAP patch directly. If a path is directly typed in, it will be validated to ensure that it actually exists.

Use recursive query

This option is available under the LDAP path box. When checked (default) it will use a recursive query when querying the Active Directory - ie, the container and all sub-containers will be queried. If this option is unchecked, it will only query the parent path.

If some paths require recursive queries while others require container-only queries, create a separate profile for each set of paths. This setting will apply to all LDAP paths in the profile.

Limiting the directory structure when browsing

By default, HelpMaster will open the Action Directory browse paths to the root container for your domain. In circumstances where you wish to start this browse path at a location further into your hierarchy, you can specify this by copying the exact LDAP path into the database column LDAPPathRoot in the table tblActiveDirectoryServiceConfiguration. See your database administrator for details on how to do this.

LDAP Query Filter (Advanced)

This is an optional setting that can be used to filter the list of users that are returned within each of the specified LDAP paths. Use this text-box to enter a valid LDAP query expression.

The Active Directory search is hard-coded to only search for “user” objects within the LDAP path, and this cannot be changed. The LDAP filter here should build on this expression using the following, or similar syntax according to the syntax on the webpage link below.

  • Filter users with first name (given name) = Jimi: (& (givenName=Jimi))

  • Filter users with surname = King: (& (sn=King))

  • Filter disabled accounts only: (&(userAccountControl:1.2.840.113556.1.4.803:=2))

Note, LDAP queries support wildcards and other boolean filtering expressions.

For further information and examples on LDAP filters, see this Microsoft webpage:

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx