You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Home > DW Product Help > Software Applications > DW Spectrum > LDAP > DW Spectrum - Configuring LDAP Search Bases for Specific Groups and Users
DW Spectrum - Configuring LDAP Search Bases for Specific Groups and Users
print icon

Configuring LDAP Search Bases for Specific Groups and Users

-----------------------------------

Affected Roles: Administrator, Power Users

Related Digital Watchdog VMS Apps: DW Spectrum

Software Version: 6.0

Last Edit: July 22, 2025

-----------------------------------

 

LDAP Active Directory

Starting with version 6.0, DW Spectrum allows administrators to query and manage Active Directory (AD) groups as if they are native groups. These can then be used for roles and permission assignments like manually created VMS groups. Such capability has led to common questions about the best practices for retrieving only desired groups and their associated users using LDAP filters.

This article outlines methodology to configure LDAP search bases to retrieve specific Active Directory (AD) groups and users within those groups using the LDAP configuration interface in DW Spectrum.

 

Important Considerations

This article is provided with the assumption that the reader has a basic understanding of LDAP settings and configurations. All examples are illustrative; your Base DNs and filters will likely differ depending on your directory structure.

  • Standard LDAP Calls: DW Spectrum does not use any proprietary or custom code for LDAP operations. All LDAP queries are executed by the server backend using standard protocols identical to manual LDAP calls executed in a command line.
  • Filter Validation: since DW Spectrum accepts standard LDAP syntax. It is recommended to test your filters using an external LDAP query tool (e.g., ldapsearch on Linux or a GUI tool like Apache Directory Studio).

 

Retrieving Groups

To retrieve groups in DW Spectrum, you can follow one of two configuration approaches:

  • Pull all groups from a specific Organizational Unit (OU), which is ideal if all VMS-related Active Directory groups are organized within a single, dedicated OU.
  • Specify individual groups by their Common Name (CN) in separate search bases, which is useful when the desired groups are distributed across multiple OUs.

 

How to Retrieve All Groups Within an OU

  1. Add a new search base.
  2. Name the search base as needed.
  3. Set the Base DN to the logical AD path of the OU from which to pull groups from.
  4. Assuming you want to pull all groups within the OU into DW Spectrum, set the Filter to “objectclass=group”, this will tell the LDAP search that you want all groups within the OU (that were specified in the Base DN field) to be pulled.

 

Example: In this example, the Base DN is set to the default users OU, which includes all default groups and users within the Active Directory. The Filter field is configured to retrieve from a specific group from within the OU.

 

**NOTE: Alternatively, the Base DN can be set to the group’s CN directly, resulting in the same information/data being pulled. For example, if the Filter field is kept empty and the Base DN is set to “CN=VMS Users,DC=dwtest,DC=local”, the same data will be retrieved as the previous example.

 

Retrieving Users

To retrieve users within DW Spectrum, you can follow one of two configuration paths:

  • Retrieve all users within a given Organizational Unit (OU) for those that have configured all their VMS AD users within a single OU, created for that specific purpose.
  • Retrieve specific users by their group membership within the Active Directory (AD).

 

How to Retrieve All Users Within a Given OU

  1. Add and name a new Search Base.
  2. Set the Base DN to the logical AD path of the OU from which to pull users from.
  3. Keep the Filter field empty.

 

In the example above, the Base DN is set to the OU that has all VMS users within the example lab. The Filter is empty because I want to pull all users from within the OU.

Keep in mind, when a filter is not set, you are telling the VMS that you want it to pull everything within the specified Base DN when it performs the LDAP call. This can be a common reason for why environments see large numbers of users pulled when they only wanted to pull specific users. Incorrect filters and missing filters can cause that to occur.

 

How to Only Retrieve Users with Specific AD Group Membership

  1. Add a new search base and name it as desired.
  2. Set the Base DN to the logical AD path of the OU you wish to pull users from.
  3. Set the Filter based on group membership to “memberOf=CN=[Name Of Group],(CN or OU depending on OU used)=[OU where group exists],DC=[your domain],DC=[your domain extension, ie. .com, local, etc.]”

 

The Base DN in the example above is set to the default Users OU where all users were added. The Filter is set to “memberOf=CN=VMS Power User,OU=VMS Groups,DC=dwtest,DC=local” which will filter to only users who are a member of the group “VMS Power User”.

If you wish to pull users from multiple groups, you can do so by either adding an individual search base for each group’s members you wish to pull. For example, adding a second search base for users who are also members of the “VMS Live User Group” AD group that exists in this same example lab. There are also complex filters which are briefly covered in the next section of this article that could allow you to add a single search base that looks for users across multiple group memberships.

 

Complex Filters

The examples above demonstrate how to retrieve users who are members of specific groups, groups located within specific OUs or a single group. However, if your domain forest includes multiple groups or users spread across different OUs, you would need to configure a separate search base for each distinct criterion. While this method is functional, it can quickly become cumbersome in complex environments.

To address this, it is helpful to understand how LDAP search filter logic can be used to streamline configuration. By using more advanced filtering, you can create search bases that serve multiple purposes. For instance, if you want to include all users who are members of different groups, you can use a single filter to capture them all instead of creating separate search bases. The following information provides guidance on how to construct and adapt such filters to similar scenarios.

LDAP filters support Boolean operators to combine multiple criteria:

  • & (AND): All conditions must be true.
  • | (OR): At least one condition must be true.
  • ! (NOT): Excludes entries matching the condition.

By combining these operators, you can create flexible filters tailored to your environment. Below are example scenarios to illustrate how this logic can be applied (please adapt these to fit your specific needs).

 

Example:

To retrieve all users who are members of any one of three specific Active Directory security groups (but not necessarily all three) you can use a filter like the following:

(|(memberOf=CN=VMS Live Users,OU=VMS Groups,DC=nxtest,DC=local)

 (memberOf=CN=VMS Power Users,OU=VMS Groups,DC=nxtest,DC=local)

 (memberOf=CN=VMS View Users,OU=VMS Groups,DC=nxtest,DC=local))

The | (OR) operator after the opening parenthesis indicates that the filter will match users who belong to at least one of the specified groups.

If instead you want to find users who are members of all three groups, simply replace the | with an & (AND) operator. This change ensures that only users who belong to every group listed in the filter are returned.

 

For a deeper understanding of how LDAP filters function, please refer to the resource available here:  https://ldap.com/ldap-filters/ 

 

 

 

______________________________________________________________________________

For More Information or Technical Support

DW Technical Support: https://www.digital-watchdog.com/contact-tech-support/

DW Sales: [email protected] | www.digital-watchdog.com

Rev: 06/25                              Copyright © DW. All rights reserved. Specifications and pricing subject to change without notice.                            

Tags

close button
scroll to top icon