*1. Moreover, the LDAP data does have "directReports" properties, so is there a way to use this property instead of "manager=xxx"?*
No. The "LDAP_MATCHING_RULE_IN_CHAIN" (1.2.840.113556.1.4.1941) only works with what Microsoft calls forward links <https://ldapwiki.com/wiki/Wiki.jsp?page=LinkID> and not backward links. *2. Also, the query got matched to some false positives, also I had a requirement (objectCategory=person). The data contains utility accounts, e.g., "~MEETING-ROOM.XXX", and these items are mistakenly labeled as person in category. So, are there any common practices we use to filter them out? I can manually pick them out this time, but it would be hard next time on a bigger scope.* Try something like: &((sAMAccountType=805306368)(manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com)) or (&(objectCategory=person)(objectClass=user)(manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com)) Should limit to Users <https://ldapwiki.com/wiki/Wiki.jsp?page=Active%20Directory%20User%20Related%20Searches> . BTW: "LDAP_MATCHING_RULE_IN_CHAIN" (1.2.840.113556.1.4.1941) is a Microsoft only thing as far as I know. -- -jim Jim Willeke On Thu, Sep 28, 2023 at 7:32 PM Mike Zhao <178...@gmail.com> wrote: > Hi, Jim, > > The example query works, and yes, I need to explicitly use > "1.2.840.113556.1.4.1941" because the Active Directory server doesn't > respond to name "LDAP_MATCHING_RULE_IN_CHAIN". Thank you for your > directions. > > *More Questions:* > > 1. Moreover, the LDAP data does have "directReports" properties, so is > there a way to use this property instead of "manager=xxx"? > > 2. Also, the query got matched to some false positives, also I had a > requirement (objectCategory=person). The data contains utility accounts, > e.g., "~MEETING-ROOM.XXX", and these items are mistakenly labeled as > person in category. So, are there any common practices we use to > filter them out? I can manually pick them out this time, but it would be > hard next time on a bigger scope. > > Thank you again for your help. > > On Thu, Sep 28, 2023 at 3:37 AM Jim Willeke <j...@willeke.com> wrote: > >> Try this: >> LDAP_MATCHING_RULE_IN_CHAIN Example >> Query All users that report to a department manager or their subordinates. >> >> (manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com) >> >> And you will also probably need this: >> Anomaly: DirectReports but no Manager >> It is a little strange to have an entry which has DirectReports but lacks >> a manager. Could be this is the top person in the Organizational Entity or >> something is amiss. >> ldapsearch -H ldaps://serverdc.example.com:636 -x -D " >> admin...@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 1000 >> "(&(objectCategory=person)(objectClass=user)(directReports=*)(!(manager=*)))" >> "objectClass" >> >> From: https://ldapwiki.com/wiki/Wiki.jsp?page=LDAP_MATCHING_RULE_IN_CHAIN >> >> -- >> -jim >> Jim Willeke >> >> >> On Thu, Sep 28, 2023 at 5:03 AM Mike Zhao <178...@gmail.com> wrote: >> >>> Hi, All, >>> >>> For internal billing purposes, we need to find all the employees directly >>> and indirectly reporting to the director. >>> >>> For example, the branch's director is item A in LDAP (Active Directory), >>> and item B as property "manager=A", so B directly reports to A. Moreover, >>> item C has property "manager=B", so C reports to A as well indirectly. In >>> the mini example, director A's team includes B and C. >>> >>> To start from the director's item in LDAP and iteratively find all the >>> employees under him through the relation of "manager=xxx" property. The >>> data structure is like a multi-children tree, and our first thought is to >>> write a python script and implement a BFS (breath-first search). >>> >>> However, before re-inventing any wheels, we hope to double-check whether >>> there is a way to do it within the built-in functions of Apache Directory >>> Studio. >>> >>> We highly appreciate any hints and suggestions. >>> >>
