Hi, Jim, The example query works, and yes, I need to explicitly use "1.2.840.113556.1.4.1941" because the Active Directory server doesn't respond to name "LDAP_MATCHING_RULE_IN_CHAIN". Thank you for your directions.
*More Questions:* 1. Moreover, the LDAP data does have "directReports" properties, so is there a way to use this property instead of "manager=xxx"? 2. Also, the query got matched to some false positives, also I had a requirement (objectCategory=person). The data contains utility accounts, e.g., "~MEETING-ROOM.XXX", and these items are mistakenly labeled as person in category. So, are there any common practices we use to filter them out? I can manually pick them out this time, but it would be hard next time on a bigger scope. Thank you again for your help. On Thu, Sep 28, 2023 at 3:37 AM Jim Willeke <[email protected]> wrote: > Try this: > LDAP_MATCHING_RULE_IN_CHAIN Example > Query All users that report to a department manager or their subordinates. > > (manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com) > > And you will also probably need this: > Anomaly: DirectReports but no Manager > It is a little strange to have an entry which has DirectReports but lacks > a manager. Could be this is the top person in the Organizational Entity or > something is amiss. > ldapsearch -H ldaps://serverdc.example.com:636 -x -D "[email protected]" > -W -b "DC=example,DC=com" -s sub -a always -z 1000 > "(&(objectCategory=person)(objectClass=user)(directReports=*)(!(manager=*)))" > "objectClass" > > From: https://ldapwiki.com/wiki/Wiki.jsp?page=LDAP_MATCHING_RULE_IN_CHAIN > > -- > -jim > Jim Willeke > > > On Thu, Sep 28, 2023 at 5:03 AM Mike Zhao <[email protected]> wrote: > >> Hi, All, >> >> For internal billing purposes, we need to find all the employees directly >> and indirectly reporting to the director. >> >> For example, the branch's director is item A in LDAP (Active Directory), >> and item B as property "manager=A", so B directly reports to A. Moreover, >> item C has property "manager=B", so C reports to A as well indirectly. In >> the mini example, director A's team includes B and C. >> >> To start from the director's item in LDAP and iteratively find all the >> employees under him through the relation of "manager=xxx" property. The >> data structure is like a multi-children tree, and our first thought is to >> write a python script and implement a BFS (breath-first search). >> >> However, before re-inventing any wheels, we hope to double-check whether >> there is a way to do it within the built-in functions of Apache Directory >> Studio. >> >> We highly appreciate any hints and suggestions. >> >
