Custom LDAP Filters

Keeper Bridge custom LDAP filters

The bridge leverages standard LDAP Query language. Please refer to this web page for syntax: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Custom Nodes

The Nodes filter will allow the administrator to define what OU's are found or excluded. Only objects (OUs, Security Groups, Users) will be found in the Node filter if the LDAP query allows the OU that the object belongs within to be found in the domain tree. For example if all OU's are intended to configured as Nodes in Keeper admin console except for Domain Controllers (default setting), Finance, and Marketing then the LDAP query would look similar to:

(&    
  (objectclass=organizationalunit)        
  (!name=Domain Contollers)
  (!name=Finance)
  (!name=Marketing)   
)

Keep in mind, if any users, security groups, or other OU's reside inside the Finance or Marketing OU's (in this example) will not be found in the query.

Container vs OU

Another important aspect to configuring LDAP query statements, in order to meet the organizations objectives, is that some organizations do not have users residing in an OU. Instead users are placed in a container (Often titled as the User Container). While Microsoft does not recommend this as a best practice, many organizations are configured this way. When this happens an organization should consider converting the container to an OU. But if that is not feasible, then the Nodes filter should contain a statement to find the container vice an OU. In the below example the filter is configured to find both an OU named WestCoast and a container named Users.

(&
    (|
       (objectclass=organizationalunit)
       (objectclass=container)
       (!name=Domain Contollers)
    )
    (|
       (name=WestCoast)
       (cn=Users)
    )
)

When configuring the user filter in conjunction with a container, it may be necessary to add some additional statements to allow the user to be found. The reason potentially for this is that when creating a user in AD by default the users are created in "Domain Users" built in group. This is the users "Default Primary Group". The primarygroup is not present in memberOf Attribute but in primaryGroupID attribute. The primaryGroupID is not a distinguished name but just the Relative Identifier (RID) of the primary group. For this reason, when we use a group to contain the users and search for the "memberOf" property the user is not found. Therefore, an LDAP query statement in the 'User' filter, like the below example, may be necessary.

(&
   (objectCategory=person)
   (objectClass=user)
   (primaryGroupID=513)
)

Custom Roles

Roles are required to apply enforcements on the Users in the Keeper organization. By default the filter is blank. Since the Active Directory names for groups are specific to the organization a default filter cannot be supplied. It will be necessary to decide which Security Groups in Active Directory will be used as roles. If all Security Groups are to be mapped as roles then copying the default Team filter is an easy way to export all groups as Roles. This means the Admin will need to manage each group as a Role and each Group as a Team. Maintenance on many Roles can be unnecessary and a time consuming for the keeper Admin. In this case only one or a few roles may be necessary. Example mapping all Security Groups as Roles and excluding the specific groups Local Admins and Regional Admins.

(&
    (objectclass=group)
    (!CN=Local Admins)
    (!CN=Regional Admins)
    (|
     (grouptype=-2147483640)
        (grouptype=-2147483644)
        (grouptype=-2147483646)
    )
)

Example mapping only specific Security Groups as Roles. This example groups Local Admins and Regional Admins with an OR (|) operator when including only specific groups.

(&
    (objectclass=group)
    (|
        (CN=Keeper Admins)
        (CN=Keeper Users)
    )
    (|
        (grouptype=-2147483640)
        (grouptype=-2147483644)
        (grouptype=-2147483646)
    )
)

An important rule with Role filtering is that if a group the user is in is not exported the user will still be exported, just not assigned to the Role.

Custom Team Filters

Teams are required to share folders and records to other Users in the keeper organization. By default the Team filter maps all security groups to Teams. Roles and Team filters act on security groups. It is valid that some groups would be mapped as both a Role and a Team. For instance an Organization may have LA Admins and LA Users mapped as Roles and then also have all security groups mapped as teams. This would mean LA Admin and LA Users are also a team. Since Roles also act as team please refer to roles for custom filtering examples.

Custom User Filters

The User filter maps User objects in Active Directory. If the user is a member of a security groups which is mapped as a role or team the Bridge will Invite the user and assign them to Roles and Teams of which they are a member based on the Active Directory group membership. Example mapping all Users in Active Directory except specific users. User52 and User58 are excluded by Common Name.

(&
    (objectclass=user)
    (objectCategory=Person)
    (!cn=User52)
    (!cn=User58)
)

Example mapping only specific Users in Active Directory. User52 and User58 are included exclusively by Common Name.

(&
    (objectclass=user)
    (objectCategory=Person)
    (|
        (cn=User52)
        (cn=User58)
    )
)

Example mapping all Users in Active Directory which are part of specific groups. Members of the RDP Users & Console Users group are included.

(&
    (objectclass=user)
    (objectCategory=Person)
    (|
    (memberOf=CN=RDP Users,OU=Office Users,DC=keeper,DC=local)
    (memberOf=CN=Console Users,OU=Office Users,DC=keeper,DC=local)
    )
)

Example mapping all Users in Active Directory except users which are part of a specific group. Members of the RDP Users and Office Admins group are excluded.

(&
    (objectclass=user)
    (objectCategory=Person)
    (!memberOf=CN=RDP Users,OU=EDH Office Users,DC=keeper,DC=local)
    (!memberOf=CN=Office Admins,OU=EDH Office Users,DC=keeper,DC=local)
)

Example mapping all Users in Active Directory except users which are part of a specific group or any group nested below the specific group. Members of groups RDP Users and Console Users are included as are members of all sub groups of these two groups due to use of the Active Directory OID (:1.2.840.113556.1.4.1941:).

(&
    (objectclass=user)
    (objectCategory=Person)
    (|
    (memberOf:1.2.840.113556.1.4.1941:=CN=RDP Users,OU=Office Users,DC=keeper,DC=local)
    (memberOf:1.2.840.113556.1.4.1941:=CN=Console Users,OU=Office Users,DC=keeper,DC=local)
    )
)

To map only users which are part of a specific OU, or not map users who are in a specific OU please refer to Node filter.

Preview Filter Results

The Preview option above the filter edit box will display the effective result of the filters defined showing the Tree defined by the Node filter and the objects to be exported by the other filters (user, role, team) within the tree structure.

Teams always display regardless of the tree node selected. Roles and Users display based on their location in the tree. A total count of objects is also displayed below the tree structure. Selecting a Node, Role, Team or User will display the associated Active Directory properties for the object selected. This information is helpful to determine properties and property values that can be used to filter for the object.

Publish Changes

Once your configuration is complete, select Save to to retain your current settings. Once all settings are complete use Publish button to push the changes live and activate the integration.

Always preview after editing filters before publishing your changes to ensure the filter is implemented as intended.

View the Bridge Log during the publish to actively view important messages.

Last updated