How To use Group Filters when Configuring LDAP
Resolution
Overview
On the Device Tab, in the User Identification page, when configuring the Group Mapping, there is a Group Filter field available (GUI: Device > User Identification > Group Mapping > Server Profile). This field can be used to search and return group membership matching specific attributes. This is especially useful in very large LDAP deployments. The Group Filter field is limited to 1024 characters.
Here are some search examples
- All groups that have a specific description: description=Marketing
- A specific distinguished name: distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
- Specific Common Name: CN=SSLVPN
Note: More than one group can have the same common name but be in a different area of the LDAP structure.
The following distinguished named groups have the same Common Name:
- distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
- distinguishedName=CN=SSLVPN,CN=marketing,DC=example,DC=org
It is also possible to search for more than one attribute at a time. A pipe "|" can be used as an "or" operator while an ampersand "&" can be used as an "and".
The following OR searches will return the same results.
- |(distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org)(distinguishedName=CN=PanAdmins,CN=Users,DC=example,DC=org)
- |(CN=SSLVPN)(CN=PanAdmins)
These searches will return the members in both the SSLVPN and PanAdmins groups.
Wildcards can also be used: |(CN=SSLVP*)(CN=*anAdmins)
Note: You cannot filter by OU's
owner: rnitz