| Author | Messages | |
AlRose
Posts:44
 | | 06/10/2010 9:58 AM |
| Hi everyone,
I am not very familiar with ldap filters and i have to take care of
administering a linux application server (openfire). The problem i currently
encounters is that some AD users are not sync'ed in Openfire.
What we wan to achieve is to allow every employee in our company to be able
to use a Spark client to use Instant messaging.
Basically openfire searches our AD using this filter:
(&(objectClass=organizationalPerson)(employeeID=*))
I have tried to use that filter with dsquery to see the list of users it
returns and piped a findtsr to check a specific user:
dsquery * -limit 2000 -filter
"(&(objectClass=organizationalPerson)(employeeID=*))" | findstr apacci
So the user apacci is not return by that query, as a result this user cannot
login to IM server.
I am not sure what i need to do here, change the search filter or do
something about the user account?
| | | |
| TG
Posts:298
| | 06/10/2010 11:48 AM |
| Have you checked if employee I'd is populated for the user?
----- Original Message -----
From: "Al Rose" [arose107@gmail.com]
Sent: 06/10/2010 10:56 AM ZE2
To: activedir@mail.activedir.org
Subject: [ActiveDir] ldap filter prevents from seeing all users
Hi everyone,
I am not very familiar with ldap filters and i have to take care of
administering a linux application server (openfire). The problem i currently
encounters is that some AD users are not sync'ed in Openfire.
What we wan to achieve is to allow every employee in our company to be able
to use a Spark client to use Instant messaging.
Basically openfire searches our AD using this filter:
(&(objectClass=organizationalPerson)(employeeID=*))
I have tried to use that filter with dsquery to see the list of users it
returns and piped a findtsr to check a specific user:
dsquery * -limit 2000 -filter
"(&(objectClass=organizationalPerson)(employeeID=*))" | findstr apacci
So the user apacci is not return by that query, as a result this user cannot
login to IM server.
I am not sure what i need to do here, change the search filter or do
something about the user account?
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| AlRose
Posts:44
| | 06/10/2010 2:06 PM |
| Well, apparently the Employee ID is not visible from dsa.msc so i wonder
what is happening. Users account are all created the same way by our
helpdesk team. I dont understand why employeeid would be populated for some
but not for all.
Anyway, if we dont set the EmployeeId manually for each users i think
another filter would be more adequat. Wouldn't
(&(objectClass=organizationalPerson)) be sufficient?
Thanks
On Thu, Jun 10, 2010 at 1:06 PM, Tony Gordon <Tony.Gordon@hewitt.com> wrote:
> Have you checked if employee I'd is populated for the user?
> ------------------------------
>
> * From: *"Al Rose" [arose107@gmail.com]
> * Sent: *06/10/2010 10:56 AM ZE2
> * To: *activedir@mail.activedir.org
> * Subject: *[ActiveDir] ldap filter prevents from seeing all users
>
> Hi everyone,
>
> I am not very familiar with ldap filters and i have to take care of
> administering a linux application server (openfire). The problem i currently
> encounters is that some AD users are not sync'ed in Openfire.
> What we wan to achieve is to allow every employee in our company to be able
> to use a Spark client to use Instant messaging.
>
> Basically openfire searches our AD using this filter:
> (&(objectClass=organizationalPerson)(employeeID=*))
>
> I have tried to use that filter with dsquery to see the list of users it
> returns and piped a findtsr to check a specific user:
>
> dsquery * -limit 2000 -filter
> "(&(objectClass=organizationalPerson)(employeeID=*))" | findstr apacci
>
> So the user apacci is not return by that query, as a result this user
> cannot login to IM server.
>
>
>
> I am not sure what i need to do here, change the search filter or do
> something about the user account?
>
> ------------------------------
>
> The information contained in this e-mail and any accompanying documents may
> contain information that is confidential or otherwise protected from
> disclosure. If you are not the intended recipient of this message, or if
> this message has been addressed to you in error, please immediately alert
> the sender by reply e-mail and then delete this message, including any
> attachments. Any dissemination, distribution or other use of the contents of
> this message by anyone other than the intended recipient is strictly
> prohibited. All messages sent to and from this e-mail address may be
> monitored as permitted by applicable law and regulations to ensure
> compliance with our internal policies and to protect our business. E-mails
> are not secure and cannot be guaranteed to be error free as they can be
> intercepted, amended, lost or destroyed, or contain viruses. You are deemed
> to have accepted these risks if you communicate with us by e-mail.
>
>
| | | |
| bdesmond
Posts:977
| | 06/10/2010 2:43 PM |
| Do (&(objectCategory=person)(objectClass=user))
Brian Desmond from my phone
On Jun 10, 2010, at 8:05 AM, "Al Rose" <arose107@gmail.com<mailto:arose107@gmail.com>> wrote:
Well, apparently the Employee ID is not visible from dsa.msc so i wonder what is happening. Users account are all created the same way by our helpdesk team. I dont understand why employeeid would be populated for some but not for all.
Anyway, if we dont set the EmployeeId manually for each users i think another filter would be more adequat. Wouldn't (&(objectClass=organizationalPerson)) be sufficient?
Thanks
On Thu, Jun 10, 2010 at 1:06 PM, Tony Gordon <<mailto:Tony.Gordon@hewitt.com>Tony.Gordon@hewitt.com<mailto:Tony.Gordon@hewitt.com>> wrote:
Have you checked if employee I'd is populated for the user?
________________________________
From: "Al Rose" [<mailto:arose107@gmail.com>arose107@gmail.com<mailto:arose107@gmail.com>]
Sent: 06/10/2010 10:56 AM ZE2
To: <mailto:activedir@mail.activedir.org> activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] ldap filter prevents from seeing all users
Hi everyone,
I am not very familiar with ldap filters and i have to take care of administering a linux application server (openfire). The problem i currently encounters is that some AD users are not sync'ed in Openfire.
What we wan to achieve is to allow every employee in our company to be able to use a Spark client to use Instant messaging.
Basically openfire searches our AD using this filter:
(&(objectClass=organizationalPerson)(employeeID=*))
I have tried to use that filter with dsquery to see the list of users it returns and piped a findtsr to check a specific user:
dsquery * -limit 2000 -filter "(&(objectClass=organizationalPerson)(employeeID=*))" | findstr apacci
So the user apacci is not return by that query, as a result this user cannot login to IM server.
I am not sure what i need to do here, change the search filter or do something about the user account?
________________________________
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| skradel
Posts:177
| | 06/10/2010 2:55 PM |
| Is it possible that your external system relies on employeeId to be
populated, as a sort of anchor value?
If not, Mr. Desmond's filter is the way to go.
If you only filtered on objectclass=organizationalPerson then you'd end up
with contact objects in the output.
And if you filtered on objectclass=user alone, then you'd get computer
accounts and other "stuff" ;-)
--Steve
On Thu, Jun 10, 2010 at 9:01 AM, Al Rose <arose107@gmail.com> wrote:
> Well, apparently the Employee ID is not visible from dsa.msc so i wonder
> what is happening. Users account are all created the same way by our
> helpdesk team. I dont understand why employeeid would be populated for some
> but not for all.
>
> Anyway, if we dont set the EmployeeId manually for each users i think
> another filter would be more adequat. Wouldn't
> (&(objectClass=organizationalPerson)) be sufficient?
>
> Thanks
>
> On Thu, Jun 10, 2010 at 1:06 PM, Tony Gordon <Tony.Gordon@hewitt.com>wrote:
>
>> Have you checked if employee I'd is populated for the user?
>> ------------------------------
>>
>> * From: *"Al Rose" [arose107@gmail.com]
>> * Sent: *06/10/2010 10:56 AM ZE2
>> * To: *activedir@mail.activedir.org
>> * Subject: *[ActiveDir] ldap filter prevents from seeing all users
>>
>> Hi everyone,
>>
>> I am not very familiar with ldap filters and i have to take care of
>> administering a linux application server (openfire). The problem i currently
>> encounters is that some AD users are not sync'ed in Openfire.
>> What we wan to achieve is to allow every employee in our company to be
>> able to use a Spark client to use Instant messaging.
>>
>> Basically openfire searches our AD using this filter:
>> (&(objectClass=organizationalPerson)(employeeID=*))
>>
>> I have tried to use that filter with dsquery to see the list of users it
>> returns and piped a findtsr to check a specific user:
>>
>> dsquery * -limit 2000 -filter
>> "(&(objectClass=organizationalPerson)(employeeID=*))" | findstr apacci
>>
>> So the user apacci is not return by that query, as a result this user
>> cannot login to IM server.
>>
>>
>>
>> I am not sure what i need to do here, change the search filter or do
>> something about the user account?
>>
>>
>
| | | |
| AlRose
Posts:44
| | 06/10/2010 4:10 PM |
| Thanks for the help and explanation that did the trick
On Thu, Jun 10, 2010 at 3:52 PM, Steve Kradel <skradel@zetetic.net> wrote:
> Is it possible that your external system relies on employeeId to be
> populated, as a sort of anchor value?
> If not, Mr. Desmond's filter is the way to go.
>
> If you only filtered on objectclass=organizationalPerson then you'd end up
> with contact objects in the output.
> And if you filtered on objectclass=user alone, then you'd get computer
> accounts and other "stuff" ;-)
>
> --Steve
>
>
> On Thu, Jun 10, 2010 at 9:01 AM, Al Rose <arose107@gmail.com> wrote:
>
>> Well, apparently the Employee ID is not visible from dsa.msc so i wonder
>> what is happening. Users account are all created the same way by our
>> helpdesk team. I dont understand why employeeid would be populated for some
>> but not for all.
>>
>> Anyway, if we dont set the EmployeeId manually for each users i think
>> another filter would be more adequat. Wouldn't
>> (&(objectClass=organizationalPerson)) be sufficient?
>>
>> Thanks
>>
>> On Thu, Jun 10, 2010 at 1:06 PM, Tony Gordon <Tony.Gordon@hewitt.com>wrote:
>>
>>> Have you checked if employee I'd is populated for the user?
>>> ------------------------------
>>>
>>> * From: *"Al Rose" [arose107@gmail.com]
>>> * Sent: *06/10/2010 10:56 AM ZE2
>>> * To: *activedir@mail.activedir.org
>>> * Subject: *[ActiveDir] ldap filter prevents from seeing all users
>>>
>>> Hi everyone,
>>>
>>> I am not very familiar with ldap filters and i have to take care of
>>> administering a linux application server (openfire). The problem i currently
>>> encounters is that some AD users are not sync'ed in Openfire.
>>> What we wan to achieve is to allow every employee in our company to be
>>> able to use a Spark client to use Instant messaging.
>>>
>>> Basically openfire searches our AD using this filter:
>>> (&(objectClass=organizationalPerson)(employeeID=*))
>>>
>>> I have tried to use that filter with dsquery to see the list of users it
>>> returns and piped a findtsr to check a specific user:
>>>
>>> dsquery * -limit 2000 -filter
>>> "(&(objectClass=organizationalPerson)(employeeID=*))" | findstr apacci
>>>
>>> So the user apacci is not return by that query, as a result this user
>>> cannot login to IM server.
>>>
>>>
>>>
>>> I am not sure what i need to do here, change the search filter or do
>>> something about the user account?
>>>
>>>
>>
>
>
| | | |
| TG
Posts:298
| | 06/10/2010 4:53 PM |
| There are ways to find that out. ds* tools, adfind, ldp, adsiedit.msc,
etc...
It is important to know what the problem is before deciding what the fix
should be.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Tel 847.295.5000 x37892 | Fax 847.883.7892
tony dot gordon at hewitt dot tld | www.hewitt.com
P Please consider the environment before printing this e-mail.
From:
"Al Rose" <arose107@gmail.com>
To:
activedir@mail.activedir.org
Date:
06/10/2010 08:08 AM
Subject:
Re: [ActiveDir] ldap filter prevents from seeing all users
Sent by:
activedir-owner@mail.activedir.org
Well, apparently the Employee ID is not visible from dsa.msc so i wonder
what is happening. Users account are all created the same way by our
helpdesk team. I dont understand why employeeid would be populated for
some but not for all.
Anyway, if we dont set the EmployeeId manually for each users i think
another filter would be more adequat. Wouldn't
(&(objectClass=organizationalPerson)) be sufficient?
Thanks
On Thu, Jun 10, 2010 at 1:06 PM, Tony Gordon <Tony.Gordon@hewitt.com>
wrote:
Have you checked if employee I'd is populated for the user?
From: "Al Rose" [arose107@gmail.com]
Sent: 06/10/2010 10:56 AM ZE2
To: activedir@mail.activedir.org
Subject: [ActiveDir] ldap filter prevents from seeing all users
Hi everyone,
I am not very familiar with ldap filters and i have to take care of
administering a linux application server (openfire). The problem i
currently encounters is that some AD users are not sync'ed in Openfire.
What we wan to achieve is to allow every employee in our company to be
able to use a Spark client to use Instant messaging.
Basically openfire searches our AD using this filter:
(&(objectClass=organizationalPerson)(employeeID=*))
I have tried to use that filter with dsquery to see the list of users it
returns and piped a findtsr to check a specific user:
dsquery * -limit 2000 -filter
"(&(objectClass=organizationalPerson)(employeeID=*))" | findstr apacci
So the user apacci is not return by that query, as a result this user
cannot login to IM server.
I am not sure what i need to do here, change the search filter or do
something about the user account?
The information contained in this e-mail and any accompanying documents
may contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents
of this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are
deemed to have accepted these risks if you communicate with us by e-mail.
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
|
|