0

I am building Google Directory sync from our domain to our Google apps account. I am trying to search for all users in a specific Distribution Group: GoogleAppsActiveUsers.

I am using Windows 2003 R2 as our AD.

I have 1 user added to the group: GoogleAppsActiveUsers: user@test.com that group is sub to the OU Company Users. If my search criteria includes

CN=GoogleAppsActiveUsers,OU=Company Users,DC=company

In this case I get 0 results returned.

My Filter is: 

(objectClass=person)

However, if I change my DN to be: 

OU=Company Users,DC=company

As a result I get ALL my users (including the one within my GoogleAppsActiveUsers group.

What am I doing wrong?

Saariko
  • 1,791
  • 14
  • 45
  • 75
  • The following DN: CN=GoogleAppsActiveUsers,OU=Security_Groups,OU=OptiTex_Users,DC=optitex and filter * gives me only the CN=GoogleAppsActiveUsers as a result. How do I get the users in that group? – Saariko Aug 04 '11 at 10:25

1 Answers1

2

The search results you specify are exactly as expected from the search parameters you give. (objectClass=person) with the base DN of CN=GoogleAppsActiveUsers,OU=Company Users,DC=company, assuming a search scope of sub (you did not specify what search scope you used), would filter all objects from the candidate list that contained the attribute objectClass with a value of person (or subtypes of person). In your case, there are no objects that match those criteria. When you widen the search to start at a higher level (OU=Company Users,DC=company), again assuming a search scope of sub, more entries are returned. It might be that you should change your filter to (isMemberOf=CN=GoogleAppsActiveUsers,OU=Company Users,DC=company) or (memberOf=CN=GoogleAppsActiveUsers,OU=Company Users,DC=company) in order to find the members of the desired group.

Terry Gardner
  • 632
  • 5
  • 9
  • I get still weird answers. If I try with memberOf=CN=GoogleAppsActiveUsers,OU=Security_Groups,OU=company_Users,DC=company I get a null exception error [FATAL] [ui.page.SimulateSyncWorker$WorkerStatusLogger] Exception while attempting to retrieve results java.lang.RuntimeException: javax.naming.InvalidNameException: : [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8349, best match of:'memberOf=CN=GoogleAppsActiveUsers,OU=Security_Groups,OU=Company_Users,DC=company' – Saariko Aug 03 '11 at 07:45
  • If I remove the memberof=CN=GoogleAppsActiveUsers I get a result that is too long (the one level above what I want. I do use the Sub-Tree but I tried also level and one also – Saariko Aug 03 '11 at 07:46
  • I think that the query is correct, but how do I make it work in the configuration manager of google directory sync? the base DN is correct, with the CN, but I think the rule needs some work. – Saariko Aug 03 '11 at 07:56
  • 1
    Did you try `isMemberOf` instead of `memberOf`? – Terry Gardner Aug 03 '11 at 10:53
  • I did, same result. As I said, I think the tweak has to be in the filter. As the DN is correct, and should not include the memberOf/isMemberOf. That should be in the filter area of the configuration. – Saariko Aug 03 '11 at 13:03
  • The `memberOf` and `isMemberOf` do not belong in the DN. The DN is the primary that identifies the entry. `memberOf` and `isMemberOf` are most likely not even real attributes, rather, they are probably virtual attributes or dynamic attributes. If you could post the LDIF of the `GoogleAppsActiveUsers` group, perhaps that would help. – Terry Gardner Aug 03 '11 at 13:15
  • Not sure on how to extract LDIF using AD explorer. If you can show me please. – Saariko Aug 03 '11 at 13:57
  • I have never used AD Explorer, but from a quick look at the web page, it looks like a basic directory browser. Perhaps you can navigate in the left hand side down to your group entry and right-click or something to save the LDIF. – Terry Gardner Aug 03 '11 at 14:02
  • @Saariko let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/980/discussion-between-terry-gardner-and-saariko) – Terry Gardner Aug 03 '11 at 14:02
  • Thanks Ter for all your help, the answer was: E U R E K A !!!!!! Base DN:OU=OptiTex_Users,DC=optitex Filter: (memberof=CN=GoogleAppsActiveUsers,OU=Security_Groups,OU=OptiTex_Users,DC=optitex) – Saariko Aug 04 '11 at 12:33