How to use LDAP Filters
Introduction
As part of the Users Directory feature passbolt offers two ways to help filter your Active Directory/OpenLDAP users and groups so you have more control over which users and groups are synchronized. This page will go over how to use both of these options.
Groups & Users Parent Group
One of the options for filtering users and groups is to use the Groups Parent Group or the Users Parent Group option. This can be found under the Synchronization options section of the Users Directory configuration page.
This option will allow you to specify a Parent Group for your users or groups. Passbolt will then only look for Users or Groups which are part of that Parent group and use those for synchronization. This is most useful if you have directory set up where the Users or Groups you want to synchronize are all under the same group. For this field you can use just the name of the group, for example:
- admins
- testers
- Passbolt_Users
- Passbolt Groups
Group & User custom filters
The other option we have is to use custom filters for users or groups. This can be found under the Directory configuration section of the Users Directory configuration page.
These fields will accept standard LDAP query syntax. This is useful if you need just a few groups/users or wish to exclude one which may have normally been synchronized. These fields provide more flexibility when interacting with more complicated directory structures. Some examples of the expected syntax are:
(memberof=cn=somegroup)
- This would be for the users filter for members of “somegroup”
(|(cn=admins)(cn=testers))
- This would be for the groups “admins” or “testers”
(uid=*smith*)
- This would be for any user with “smith” in their uid
Optional server tooling
For testing purpose, it might be handy to have some ldap utilities installed on your system. On Debian you can use ldapsearch for example to search for and display entries:
sudo apt-get install ldap-utils
ldapsearch -b'dc=example,dc=com' -x