Hello,
Today we had a question from a customer in good old Germany:
how can i create a single LDAP Group connector (the one used to list groups and their members, something needed for Awareness Trainings) that can pick up groups in many different OUs?
Their groups would be in different OUs:
OU=Finance,DC=corp,DC=eramba,DC=org
OU=HR,DC=corp,DC=eramba,DC=org
etc … their initial approach was to create one Group connector per OU … so the query to pull members of each group would be:
(&(objectCategory=user)(memberOf=CN=%GROUP%,OU=Finance,DC=corp,DC=eramba,DC=org))
but then with a little bit of thinking we changed the query so %GROUP% would contain the full DN, not just the name of the group, the filter for getting the list of members is like this:
(&(objectCategory=user)(memberOf=%GROUP%))
In this case we dont tie ourselves to a specific OU but to the whole AD.
To make this change we changed the changed the attribute to get the name of the group from “CN” (which is what we typically used to “distinguishedName”)
Voila … it worked so far quite well. One Group Connector is now useful to any group in the AD.