I'm not familiar with Sun One (I'm better at Active Directory), but this may help.
Your actual object looks like "cn=mrbig,ou=executive,dc=msi-inc,dc=com". OU is not an attribute of a user object, so that is why you can't use that attribute in the filter. However, the OU is "part of" the user's distinguishedName. You should be able to set your filter to include a partial distinguishedName. FILTER="(&(distinguishedName=*ou=executive,dc=msi-inc,dc=com)(uid=#form. username#))" M!ke Dawson University of Evansville -----Original Message----- From: Steve Metzger [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 20, 2007 6:54 PM To: CF-Talk Subject: CFLDAP and Sun One Directory Service We built a hierarchy in Sun one with various layers of OUs and groups with users under them. We thought it would be good practice to have each user possess a single user entry in the hierarchy. We use CFLDAP to authenticate, but we would like to limit the FILTER= parameter to a subset of OUs and groups that lie across various OUs. Example. Under Sales we have GroupA and GroupB OUs Under Marketing we have GroupC and GroupD Under Executive we have user mrbig and mrsmall If i want to add more intelligence to my authentication and my website is only for GroupA and GroupC and those under Executive I would expect a filter statement like this: (&(objectclass=person)(|(ou=GroupA)(ou=GroupC)(ou=Executive))(uid=#form. username#)) But we cannot include ou in objectclass=person for some reason... Any clues? thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293646 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4