LDAP Filters #52141

jvirot · 2025-02-13T20:04:19Z

jvirot
Feb 13, 2025

Hello,
I would like to make a filter on my ldap discovery... it's OK for cn=my-server.
but i would like to filter on distinguishedname but i have an error with this.

what is the correct syntax for distinguishedname ?

i try this :
` discovery:
base_dn: "*"
filters:

'(|(dn=OU=Servers,OU=Harden_T0,DC=stella,DC=group))'
`

Answered by jvirot

Feb 14, 2025

Ok finaly i find the solution.
The problem was identation of filters and label atrributes.
we must ident those fields like base_dn and not like discovery
like this:

        -----END CERTIFICATE-----

  discovery:
    base_dn: "*"
    filters:
      ##- '(!(primaryGroupID=516))' # exclude domain controllers
    # (optional) LDAP attributes to convert into Teleport labels.
    # The key of the label will be "ldap/" + the value of the attribute.
    - '(&(objectClass=organizationalUnit)(|(ou:dn:=Harden_T0)(ou:dn:=Domain Controllers)))'
    label_attributes:
    - location
    - operatingSystem

on the docs online is

windows_desktop_service:
  enabled: yes
  discovery:
    base_dn: '*'
  fil…

View full answer

zmb3 · 2025-02-13T20:29:57Z

zmb3
Feb 13, 2025
Maintainer

If you only want to search in a single DN then you don't even need an LDAP filter - you should just change the base DN.

discovery:
  base_dn: OU=servers,OU=Harden_T0,DC=stella,DC=group

1 reply

jvirot Feb 13, 2025
Author

Yes Indeed.
But it's because i need to search in two différents ou

jvirot · 2025-02-14T09:08:37Z

jvirot
Feb 14, 2025
Author

I think the problem is not really what i try as filter but the field "filters" himself.
Because when i put the same code like the Docs teleport won't start with errors :

line 94: field filters not found in type config.WindowsDesktopService line 99: field label_attributes not found in type config.WindowsDesktopService

        AXpSZ0JPwyDmn0S7XV9C
        -----END CERTIFICATE-----

  discovery:
    base_dn: "*"
  filters:
  - '(location=Oakland)'
  - '(!(primaryGroupID=516))' # exclude domain controllers
    # (optional) LDAP attributes to convert into Teleport labels.
    # The key of the label will be "ldap/" + the value of the attribute.
  label_attributes:
  - location

0 replies

jvirot · 2025-02-14T10:40:11Z

jvirot
Feb 14, 2025
Author

Ok finaly i find the solution.
The problem was identation of filters and label atrributes.
we must ident those fields like base_dn and not like discovery
like this:

        -----END CERTIFICATE-----

  discovery:
    base_dn: "*"
    filters:
      ##- '(!(primaryGroupID=516))' # exclude domain controllers
    # (optional) LDAP attributes to convert into Teleport labels.
    # The key of the label will be "ldap/" + the value of the attribute.
    - '(&(objectClass=organizationalUnit)(|(ou:dn:=Harden_T0)(ou:dn:=Domain Controllers)))'
    label_attributes:
    - location
    - operatingSystem

on the docs online is

windows_desktop_service:
  enabled: yes
  discovery:
    base_dn: '*'
  filters:
  - '(location=Oakland)'
  - '(!(primaryGroupID=516))'

2 replies

webvictim Feb 14, 2025
Collaborator

Thanks for the report. I filed a PR to fix the docs: #52181

jvirot Feb 15, 2025
Author

Ok.
Because on docs the label_attributes have thé correct indentation but not filtres.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LDAP Filters #52141

{{title}}

Replies: 3 comments 3 replies

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

LDAP Filters #52141

jvirot Feb 13, 2025

Replies: 3 comments · 3 replies

zmb3 Feb 13, 2025 Maintainer

jvirot Feb 13, 2025 Author

jvirot Feb 14, 2025 Author

jvirot Feb 14, 2025 Author

webvictim Feb 14, 2025 Collaborator

jvirot Feb 15, 2025 Author

jvirot
Feb 13, 2025

Replies: 3 comments 3 replies

zmb3
Feb 13, 2025
Maintainer

jvirot Feb 13, 2025
Author

jvirot
Feb 14, 2025
Author

jvirot
Feb 14, 2025
Author

webvictim Feb 14, 2025
Collaborator

jvirot Feb 15, 2025
Author