0

For authentication in Jitsi Meet, we would like to read out a Windows AD group with an ldap query. Unfortunately our ldap query does not work.

LDAP_URL=ldaps://server.domain.local:636/
LDAP_BASE=DC=domain,DC=local
LDAP_BINDDN=CN=bind_user,OU=Administrative Accounts,OU=Benutzer,DC=domain,DC=local
LDAP_BINDPW=*

LDAP_FILTER= (&(|objectclass=user))(|(memberof=CN=group,OU=Jitsi,OU=Sicherheit,OU=Gruppen,DC=domain,DC=local)
(primaryGroupID=4989))

The error must be due to the filter, it works with the filter LDAP_FILTER = (sAMAccountName =% u).

Can you tell me what is wrong with our query.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
SvenB
  • 1

1 Answers1

0

A few things stand out to me:

  1. The | in front of objectClass should not be there.
  2. You have two closing parentheses after the objectClass condition, but the second one should be moved to the end of the whole query.
  3. Oddly, objectClass=user will actually end up including other objects than just user accounts (like computer accounts). If you want to filter to only user objects, you have to use both (objectClass=user)(objectCategory=person). But that would only matter if you have other types of objects as members of that group.
  4. Maybe this is just an error with pasting into the question, but there is a line break before (primaryGroupID=
  5. I've never used Jitsi, but it may or may not like the space after LDAP_FILTER=. The other examples I see online don't show a space there.

It should look like this:

LDAP_FILTER=(&(objectclass=user)(objectCategory=person)(|(memberof=CN=group,OU=Jitsi,OU=Sicherheit,OU=Gruppen,DC=domain,DC=local)(primaryGroupID=4989)))

That means: find all user objects that are either members of that group, or have a primary group ID of 4989.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84