cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LDAP CSS: Multiple or more OU matches for users

Hi, I am not sure whether this is a configuration issue, bug, or an enhancement request:

We have a customer with AD/LDAP on which we have connected the CSS for user authentication.

The main user (cn) credentials are in ou=Users, o=Customer. So apparently this ou is on top level.

There are special account we would like to grant access as well. A certain group resides in

ou=Users,ou=e-Directory,ou=Services,o=Customer

Also a Users ou, but in another branch.

I can not figure out how to combine this in CSS. In the User Settings Search base, I can not combine (with OR) the DN's. And CSS apparently does not retrieve from all ou's named Users.

I I use the Softerra LDAP browser, I can do a Directory Search with Search DN: ou=Users, and it will return users from any/both Users ou's. CSS does not.

If I change the User search base to ou=Services instead of Users, it will find the users in ou=Users,ou=e-Directory,ou=Services,o=Customer

Is it possible to use two or more locations somehow?

Or how do I specify to search from top level? Apparantly I can not use o=Customer as search base:
LDAP error when performing search:
Unable to complete LDAP query, error in name/search base.

Actually CSS should find users from all ou=Users occurances, just like Softerra does. That might be an enhancement request.

Current settings:

LDAP server type: Other

Search settings
LDAP server type: o=Customer

Group Settings

  • Search base: ou=AccessControl
  • Search
    filter:
    (&({0}={1})(objectClass=groupOfNames))



    Group attribute mappings
    • Group name: cn
    • Description: description

User Settings:

  • Search base: ou=Users
  • Search
    filter: (&(uid={0})(objectClass=Person))
  • User
    attribute mappings
  • Username:
    uid
  • Email
    address: mail
  • First
    name: cn
  • Last
    name: sn

User
group membership

  • search
    filter: (member={0})
  • search base: ou=AccessControl

Test search on username in second ou:

LDAP error when performing search: Could not find LDAP user with
username: [specialuser] with LDAP URL: [ldaps://ldap.customer.org:636/o=customer],
with usernameAttribute: [uid] and userSearchBase: [ou=Users].

1 REPLY 1

adam_piotrowicz
Dynatrace Pro
Dynatrace Pro

Please take a look at LDAP doc page that says:

If you leave User search base empty, user searches will look under the sub-tree set by Base DN.

I hope that will resolve searching problem in many branches.