This project has moved. For the latest updates, please go here.

LDAP filtering and the OR operator

Feb 2, 2016 at 8:54 PM
Hello folks,

I have configured LDAPCP in a test environment to connect to a non-domain LDAP server. I was attempting to apply a filter to only retrieve results for objects that are members of one of two security groups (and the groups exist in different domains). Using a filter similar to the example provided:
(!(objectClass=computer))(memberOf=CN=ADFSMSPROJECT,OU=Security Groups,DC=OrgNameA,DC=local)
I see only results for users who are members of the security group ADFSMSPROJECT as expected.

When I complicate the filter a bit, for instance:
(!(objectClass=computer))((memberOf=CN=ADFSMSPROJECT,OU=Security Groups,DC=OrgNameA,DC=local)|(memberOf=CN=ADFSMSPROJECT,OU=Security Groups,OU=MyBusiness,DC=OrgNameB,DC=local))
I see no results returned. Even users who would have been recognized in application of the first filter are no longer found.

Did I miss some part of the syntax, or is there something else I am breaking with this filter? Is there a better strategy to limit user recognition when working with multiple domains?
Feb 4, 2016 at 1:46 PM
you can filter SharePoint logs on product/area "LDAPCP" and you'll see the exact LDAP query submitted.
Then you can replay/analyze it to understand why it's not working.
Marked as answer by Yvand on 3/9/2016 at 4:26 AM
Feb 4, 2016 at 6:18 PM
Edited Feb 4, 2016 at 6:18 PM
Hello Yvand,

Thanks for the tip. I was able to successfully review logs to identify the error in my LDAP filter syntax. The OR bar ( | ) must be placed before the two logical statements:
(!(objectClass=computer))(|(memberOf=CN=ADFSMSPROJECT,OU=Security Groups,DC=OrgNameA,DC=local)(memberOf=CN=ADFSMSPROJECT,OU=Security Groups,OU=MyBusiness,DC=OrgNameB,DC=local))
This syntax works successfully. Lesson learned: more coffee before LDAP.

Marked as answer by Yvand on 3/9/2016 at 4:26 AM