Java – LDAP: use filters to avoid child CN in Active Directory

I tried to query almost all users in active directory

It looks like another question, but their answers don't help me I'm using the hint provided here, but it doesn't help

I am using JNDI to query in active directory My query is:

(&(objectClass=user)(!(cn:dn:=Users)))

This means that all objects of class user are not in the users subtree However, this query still returns the following:

CN=__vmware__,CN=Users,DC=SIREDRM,DC=com

So why doesn't that filter work? How can I make it work?

Solution

Using (! (distinguishedname = *, CN = users = DC = mydomain, DC = com)), you try to use attributes with DN syntax [object (ds-dn)]. For these LDAP attributes, you cannot use wildcards in the LDAP filter

Attribute 'distinguishedname': http://msdn.microsoft.com/en-us/library/ms675516%28VS.85%29.aspx

LDAP syntax "object (ds-dn)" http://msdn.microsoft.com/en-us/library/ms684431%28VS.85%29.aspx

In the second link, you will find statements about disabling wildcards

In general, you can use LDAP extensible matching rules to exclude certain containers from subtree searches, and in your case, the syntax will be similar

(!(cn:dn:=Users))

Or something like that Bad thing: ad also does not support this extensible matching: http://msdn.microsoft.com/en-us/library/cc223241%28PROT.10%29.aspx Read the first paragraph

The conclusion is that you cannot use a single filter in an active directory environment i 'm sorry.

The only solution seems to be to use client tools The scripts provided by Microsoft will show you exactly how to meet your needs (except that you need users, not computers)

http://blogs.technet.com/heyscriptingguy/archive/2004/12/07/how-can-i-return-a-list-of-all-my-computers-except-those-in-a-specified-ou.aspx

Another thing you can see is that the virtual directory acts as a proxy for AD, which allows you to configure filters and permissions without touching ad

(mostly copied from hyphen site)