Thank you for your help, Jim. On Fri, Sep 29, 2023 at 12:51 AM Jim Willeke <j...@willeke.com> wrote:
> *1. Moreover, the LDAP data does have "directReports" properties, so is > there a way to use this property instead of "manager=xxx"?* > > No. The "LDAP_MATCHING_RULE_IN_CHAIN" (1.2.840.113556.1.4.1941) only works > with what Microsoft calls forward links > <https://ldapwiki.com/wiki/Wiki.jsp?page=LinkID> and not backward links. > > *2. Also, the query got matched to some false positives, also I had a > requirement (objectCategory=person). The data contains utility accounts, > e.g., "~MEETING-ROOM.XXX", and these items are mistakenly labeled as person > in category. So, are there any common practices we use to filter them out? > I can manually pick them out this time, but it would be hard next time on a > bigger scope.* > > Try something like: > > &((sAMAccountType=805306368)(manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com)) > > or > > (&(objectCategory=person)(objectClass=user)(manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com)) > > > Should limit to Users > <https://ldapwiki.com/wiki/Wiki.jsp?page=Active%20Directory%20User%20Related%20Searches> > . > > BTW: "LDAP_MATCHING_RULE_IN_CHAIN" (1.2.840.113556.1.4.1941) is a > Microsoft only thing as far as I know. > > -- > -jim > Jim Willeke > > > On Thu, Sep 28, 2023 at 7:32 PM Mike Zhao <178...@gmail.com> wrote: > >> Hi, Jim, >> >> The example query works, and yes, I need to explicitly use >> "1.2.840.113556.1.4.1941" because the Active Directory server doesn't >> respond to name "LDAP_MATCHING_RULE_IN_CHAIN". Thank you for your >> directions. >> >> *More Questions:* >> >> 1. Moreover, the LDAP data does have "directReports" properties, so is >> there a way to use this property instead of "manager=xxx"? >> >> 2. Also, the query got matched to some false positives, also I had a >> requirement (objectCategory=person). The data contains utility accounts, >> e.g., "~MEETING-ROOM.XXX", and these items are mistakenly labeled as >> person in category. So, are there any common practices we use to >> filter them out? I can manually pick them out this time, but it would be >> hard next time on a bigger scope. >> >> Thank you again for your help. >> >> On Thu, Sep 28, 2023 at 3:37 AM Jim Willeke <j...@willeke.com> wrote: >> >>> Try this: >>> LDAP_MATCHING_RULE_IN_CHAIN Example >>> Query All users that report to a department manager or their >>> subordinates. >>> >>> (manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com) >>> >>> And you will also probably need this: >>> Anomaly: DirectReports but no Manager >>> It is a little strange to have an entry which has DirectReports but >>> lacks a manager. Could be this is the top person in the Organizational >>> Entity or something is amiss. >>> ldapsearch -H ldaps://serverdc.example.com:636 -x -D " >>> admin...@example.com" -W -b "DC=example,DC=com" -s sub -a always -z >>> 1000 >>> "(&(objectCategory=person)(objectClass=user)(directReports=*)(!(manager=*)))" >>> "objectClass" >>> >>> From: >>> https://ldapwiki.com/wiki/Wiki.jsp?page=LDAP_MATCHING_RULE_IN_CHAIN >>> >>> -- >>> -jim >>> Jim Willeke >>> >>> >>> On Thu, Sep 28, 2023 at 5:03 AM Mike Zhao <178...@gmail.com> wrote: >>> >>>> Hi, All, >>>> >>>> For internal billing purposes, we need to find all the employees >>>> directly >>>> and indirectly reporting to the director. >>>> >>>> For example, the branch's director is item A in LDAP (Active Directory), >>>> and item B as property "manager=A", so B directly reports to A. >>>> Moreover, >>>> item C has property "manager=B", so C reports to A as well indirectly. >>>> In >>>> the mini example, director A's team includes B and C. >>>> >>>> To start from the director's item in LDAP and iteratively find all the >>>> employees under him through the relation of "manager=xxx" property. The >>>> data structure is like a multi-children tree, and our first thought is >>>> to >>>> write a python script and implement a BFS (breath-first search). >>>> >>>> However, before re-inventing any wheels, we hope to double-check whether >>>> there is a way to do it within the built-in functions of Apache >>>> Directory >>>> Studio. >>>> >>>> We highly appreciate any hints and suggestions. >>>> >>>
