LDAP Filter on Asset Discovery

Hi,

i was wondering how does the LDAP Filter on Assets Discovery does work.

The use case is to exclude a specific sub-OU from the discovery but the filter seems only responding to parameters like CN, Description, IP, ecc....OU= is not among them.

 Would it be possible for you to explain how does the LDAP filter actually works?

Thank you,

Simone

  • Hi Simone,

    The LDAP filter in Asset Discovery is about discovering Computer objects and therefore will only work for (objectCategory=computer) but not for (objectClass=organizationalUnit)

    Workarounds:

    1. You may add all computer objects to a group (example group: SafeguardAssets) and filter based on that group

    Here is an example:
    (& (objectCategory=Computer)(!(memberof=CN=SafeguardAssets,OU=TestOU,DC=domain,DC=lab)) )

    2. Another option is to create an Asset discovery job with multiple LDAP Filter conditions, where each condition is for a single OU, and the scope is set to just OneLevel

    Here is an example:
    LDAP Filter: (& (name=*)
    FilterSearch Localtion: OU=TestOU,DC=domain,DC=lab
    Scope: OneLevel

    Thanks!

  • Hi Tawfiq,

    we can't move all the OU's in a group unfortunately, at most we can try and move the OU that needs to be excluded.

    As for your example 1, we did try something similar. I tried different Filters:

    1. CN=* / CN=asset.domain.com / Description= *old / ecc ecc and the preview would give the correct results.

    2. (&(objectCategory=Computer)(!(CN=*,OU=ExcludeThisOU,DC=YourDomain,DC=com))) and the preview was able to find 0 objects

    So it seems like, when you're going to specify the OU field, the appliance is not going to read it.

    I also tryed using the filter you gave as an example (& (objectCategory=Computer)(!(memberof=CN=*,OU=TestOU,DC=domain,DC=lab)) ) with the correct paramenters, but it does not work, the result is always 0 items found.

    Thank you!

  • Hi,


    Correction for #1:

    You could try to add the computer objects that you want to exclude to a group (example: ExcludedAssetsGroup) and filter out that group

    For example:
    (&(!(memberof=CN=ExcludedAssetsGroup,OU=TestOU,DC=domain,DC=lab)) )

    or 

    Use any other common attribute for those computer objects that you wish to exclude for example, if these computer objects had description value = Exclude

    Then the LDAP filter can be something like this:

    (&(!(description=Exclude)))

    In both cases, you would want to enable the check box Include objects from sub containers and this way you are excluding based on an attribute shared amongst the computer objects that you want to exclude.

    Thanks!