Purpose
This document outlines how to go about constructing a more sophisticated filter for the User Object Filter and Group Object Filter attributes in your LDAP configuration for Atlassian applications.
What is a filter
Filters can be used to restrict the numbers of users or groups that are permitted to access an application. In essence, the filter limits what part of the LDAP tree the application syncs from.
A filter can and should be written for both user and group membership. This ensures that you are not flooding your application with users and groups that do not need access.
Solution
When constructing a filter it is best to pick a common attribute of the set of users you want to allow access to the application. This is most often the attribute that denotes group membership or anobjectClasslike "Person"
Info |
---|
The attribute used to denote membership in a group is not common to all flavors of LDAP. Examples of this attribute can be "groupMembership" or "Member" |
How do I match more than one attribute?
For example, if my users are distinguished by having two objectClass attributes (one equal to 'person' and another to 'user'), this is how I would match for it:
Code Block |
---|
(&(objectClass=person)(objectClass=user)) |
Notice the ampersand symbol '&'
symbol at the start. Translated this means: search for objectClass=person AND object=user.
Alternatively,
Code Block |
---|
(|(objectClass=person)(objectClass=user)) |
Translated this means: search for objectClass=person OR object=user.
The pipe symbol '|'
denotes 'OR'. As this is not a special XML character, it should not need escaping.
Wildcards
Code Block |
---|
(&(objectClass=user)(cn=*Marketing*)) |
This means: search for all entries that have objectClass=user AND cn that contains the word 'Marketing'.
Info |
---|
Wildcards are unable to be used infiltersusing ! (or NOT) logical operators. See below |
How do I match 3 attributes?
Just add an extra clause:
Code Block |
---|
(&(objectClass=user)(objectClass=top)(objectClass=person)) |
Extra clauses can be added for more than three attributes too.
Matching Components of Distinguished Names
Info |
---|
As Microsoft Active Directory does not implement extensible matching, the following examples won't work with it. |
You may want to match part of a DN, for instance when you need to look for your groups in two subtrees of your server.
Code Block |
---|
(&(objectClass=group)(|(ou:dn:=Chicago)(ou:dn:=Miami))) |
will find groups with an OU component of their DN which is either 'Chicago' or 'Miami'.
Using 'not'
To exclude entities which match an expression, use '!'.
So
Code Block |
---|
(&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville)))) |
will find all Chicago groups except those with a Wrigleyville OU component.
Sample Filters
These filters are written for Active Directory. In order to use them for something suchasOpenLDAP the attributes will need to be changed.
This will only synchronise users in the 'CaptainPlanet' group - this should be applied to the User Object Filter:
Code Block |
---|
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=CaptainPlanet,ou=users,dc=company,dc=com)) |
And this will search for users that are a member of this group, either directly or via nesting:
Code Block |
---|
(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=CaptainPlanet,ou=users,dc=company,dc=com)) |
Important for Active Directory to have memberOf:1.2.840.113556.1.4.1941 if you want to find nested groups (do not replace the numeric string) inside CaptainPlanet group.