Apoc.load.ldap useraccountcontrol filter works fine with user objects, but not computers


(Paul Drangeid) #1

I am able to successfully query LDAP user objects from an Active Directory Server. I can also return computer objects, but I get an error response if I try to apply a filter to filter out disabled accounts:

Failed to invoke procedure apoc.load.ldap: Caused by: java.lang.RuntimeException: Error getting next ldap entry null

Here's the example code. The USERS query works fine, but the COMPUTERS query fails unless you remove the account control filter: !(userAccountControl:1.2.840.113556.1.4.803:=2)

// ONLY ENABLED Computers:
call apoc.load.ldap({ldapHost:'dc1.mydomain.com',loginDN:'cn=queryservice,cn=Managed Service Accounts,DC=mydomain,DC=com',loginPW:'supersecretpassword'},
{searchBase:'dc=mydomain,dc=com',searchScope:'SCOPE_SUB',attributes:['cn'],searchFilter:'(&(objectClass=computer))!(userAccountControl:1.2.840.113556.1.4.803:=2)'})
yield entry


// ONLY ENABLED USERS:
call apoc.load.ldap({ldapHost:'dc1.mydomain.com',loginDN:'cn=queryservice,cn=Managed Service Accounts,DC=mydomain,DC=com',loginPW:'supersecretpassword'},
{searchBase:'dc=mydomain,dc=com',searchScope:'SCOPE_SUB',attributes:['displayname','company','cn','mail','sAMAccountName','userPrincipalName','dn'],searchFilter:'(&(objectClass=user))!(userAccountControl:1.2.840.113556.1.4.803:=2)'})
yield entry

(Paul Drangeid) #2

Wow, I guess I just need to post more often. It seems more often than not, that whenever I post a problem on a user forum, I figure the problem out!

It seems that the query does NOT like querying from the TOP level ou (dc=mydomain,dc=com) but instead I HAVE to choose a sub-container: (ou=Servers,dc=mydomain,dc=com)


(Paul Drangeid) #3

So it does seem that the query works, but for any ldap objects the filter does not seem to be applied correctly. I'm trying to use the useraccountcontrol to either return enabled or disabled accounts, but it appears to be ignored and returns BOTH enabled AND disabled objects.

for example, this should return any users that are NOT disabled:
searchFilter:'(&(objectClass=user))!(userAccountControl:1.2.840.113556.1.4.803:=2)'

and this should return computer objects, but only IF they ARE disabled:
searchFilter:'(&(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=2)'


(Paul Drangeid) #4

nevermind... bad filter syntax on my part