I have users in AD with memberOf attributes having either cn=ad-users103,ou=hr,ou=groups,dc=mycorp,dc=com or cn=ad-users203,ou=hr,ou=groups,dc=mycorp,dc=com. I'd like to use a filter like cn=ad-users* but it's not returning results. I'm using ldapsearch in Linux to test my filter.
I've tried using a filter like this which returns user info:
ldapsearch -D "cn=admin..." -b "dc=mycorp,dc=com" -x -H ldaps://ldap.mycorp.com -w $PASS -E pr=100/noprompt "memberOf=cn=ad-users203,ou=hr,ou=groups,dc=mycorp,dc=com"
When I add a wildcard (taking example here), I don't get any results:
ldapsearch -D "cn=admin..." -b "dc=mycorp,dc=com" -x -H ldaps://ldap.mycorp.com -w $PASS -E pr=100/noprompt "memberOf=cn=ad-users*"
I've tried moving the splat to different positions in the filter to no avail. Should a search work this way or do I need to use something like (&(memberOf=cn=ad-users103...)(memberOf=cn=ad-users203...)) instead?
The memberOF is a distinguishedName attribute value and wildcards are not supported on distinguishedNames as shown here: https://stackoverflow.com/a/28984362/88122
And I think your AND search of
(&(memberOf=cn=ad-users103...)(memberOf=cn=ad-users203...))
Should be and OR search:
(|(memberOf=cn=ad-users103...)(memberOf=cn=ad-users203...))