how to configure LDAP group filtering criteria to search the directory tree from a specific OU?

Greg Michael shared this question 5 months ago
Answered

My AD structure is such that we have a tree of sub-OUs that contain all our groups for each of our environments. I would like to add the LDAPSUBSTRING setting to the Configuration table properly so that it pulls out the groups only for a given environment. I don't know how to properly format my LDAP query to be joined with the objectClass=group filter to grab only the groups within this tree branch in our AD.

Comments (3)

photo
1

Hi Greg,

Thanks for reaching out with your question. I was taking some time trying to get an environment set up for this so I thought I'd provide documentation from our previous knowledge base that may be useful -

https://portal.yellowfinbi.com/YFForum.i4?thread=108707#p0

Combined with the information in this topic you may be able to get this going (at least in 7.4.10) -

https://community.yellowfinbi.com/topic/ldap-group-parameter-multiple-groups

Let me know how it goes.

Thanks,

Eric

photo
1

No access allowed to the old knowledgebase.

System Error


errorGuest Role not enabled. This is a managed service. Please assist us by informing us of your problem.Click here to create a support notification.

photo
1

I am using Yellowfin as a bundled product as a customer of BMC. The current version in their implementation is 7.4.8. Is there a way to add this as a "hotfix" or backport?


Application Version:7.4.8

Build: 20181221

Java Version:1.8.0_192

Operating System: Windows Server 2016 10.0 (amd64)

photo
1

Hi Greg,


Sorry I missed this, was not alerted on your reply here for some reason.


Here is a copy-paste of the content -


By default, Yellowfin will only display up to 1000 LDAP groups in the list.


However you can filter this group list to return a shorter list by adding a string to the Yellowfin 'Configuration' table.


You will need to add an extra row with the following :


IpOrg ConfigTypeCode ConfigCode ConfigData


1 SYSTEM LDAPSUBSTRING <filter by>


The contents of LDAPSUBSTRING is inserted into the LDAP Query to return groups, which is "(&(objectClass=group))"

So, for example, if your LDAPSUBSTRING is "(cn=*DataMart*)" the full query sent to the LDAP server is "(&(objectClass=group)(cn=*DataMart*))"


So the contents of LDAPSUBSTRING can be any LDAP query that can exist within an AND block, "(&(query)(query))"


Example:


insert into configuration (IpOrg, ConfigTypeCode, ConfigCode, ConfigData)

Values ('1', 'SYSTEM', 'LDAPSUBSTRING','(!(name=*Group*))' )


This filter '(!(name=*Group*))' ) means any group with the name Group will NOT be displayed in the list. Please see the link below for more syntax examples


Please note!

The syntax is dependant on the capabilities of the server.

Some example queries are here: http://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx


Related Posts:

LDAP Groups

LDAP" rel="nofollow" target="_blank">http://www.yellowfinbi.com/YFForum-LDAP-authentication-Guide-?thread=108674">LDAP Authentication Guide


If you are recieving errors, or having issues setting this up, please email

support@yellowfin.com.au


Hope this helps!

-Eric

photo
photo
1

Eric, that only works as an option for YF 7.4.10 and 8.2.  We are running YF 7.4.8.  I was asking if there was any means to backport that fix for 7.4.8?  Or otherwise implement it manually?

From: Support Queue <support@Yellowfin.bi>

Sent: Tuesday, June 25, 2019 13:55

To: Greg Michael <Greg_Michael@cpr.ca>

Subject: New Comment in "how to configure LDAP group filtering criteria to search the directory tree from a specific OU?"

This email did not originate from Canadian Pacific. Please exercise caution with any links or attachments.

photo
1

Hi Greg,

Unfortunately there is not a way to implement this, you would need to wait for a BMC release that incorporates this fix. Their support team may be able to provide answers as to when to expect this functionality. I'll go ahead and mark this question as answered, feel welcome to re-open with a reply here.

Thanks,

Eric