Wildcards in LDAP filter OR multiple syncs to same domain?
I need to sync both user and system accounts via LDAP sync.
Currently both are in the same AD group, so I just use that in the filter on the "user field mapping" screen. However soon they will not be able to be in the same group.
I was unable to make a second sync, because it says that only one sync per domain is allowed.
I'm also unable to use wildcards in that filter field. What is strange is that I can use them for the "group sync", but not the "user sync. Is there any workaround to this? This is very critical to our operation, as there may not be a way for us to have all of our accounts in one common group.
- Access Control
- Community Thread
- Forum Thread
- RSA Archer
- RSA Archer Suite
- Tips and Tricks
Only one LDAP Configuration can exist per Domain.
The User Filter can contain wildcards. For example, to only find users where the first name starts with the letter J, the User Filter would be: givenname=j*. Another example is find users that contain an email address: mail=*.
You may be able to find users that are a member of one of two Groups (Archer Global Users or Other Archer Group) like the following User Filter example. The pipe (|) means OR.
(|(memberof=CN=Archer Global Users,OU=Archer,OU=Groups,DC=archer,DC=local)(memberof=CN=Other Archer Group,OU=Groups,DC=archer,DC=local))
For more info on LDAP Syntax, check out Active Directory: LDAP Syntax Filters.
Also check out this post too: LDAP Configuration Error - Domain Must be Unique.
My filter was just (memberOf=CN=myGROUPNAME,OU=myOU,DC=Domain,DC=com)
When I change to (memberOf=CN=*GROUP*,...) the sync starts then immediately finishes (no error.)
I've tried various ways of getting it to work with a * but it just doesn't like it. This directly contrasts the group filter, which doesn't mind the * at all. I will give your "or" example a shot and report back. That may actually work better for me, but I'm stumped as to why the same filter that works in Groups isn't working for me with Users.
From memory, wilcard searches are not allowed on DN syntax attributes like memberOf.
If you only have 2 groups then I would use the Or type filter suggested by Jeff earlier.