Add exclusion condition to the search filter in directory sync profile in SpanVA
search cancel

Add exclusion condition to the search filter in directory sync profile in SpanVA

book

Article ID: 260112

calendar_today

Updated On:

Products

CASB Audit CASB Gateway CASB Gateway Advanced

Issue/Introduction

The directory sync settings in SpanVA includes two LDAP search strings, one for the directory users, and another one for the directory groups.

This article goes through the way to define the exclusion (NOT) operator.

Environment

SpanVA is configured with a Directory Sync profile.

Resolution

The logical "NOT" operator is represented with the exclamation mark "!" in LDAP search, and it needs an extra pair of parenthese.

Example:

X AND Y is represented in LDAP syntax as 

(&(X)(Y))

like the condition to get all users where the object category is "person" and the object Class is "user", the final expression will look like this:

(&(objectCategory=person)(objectClass=user))

To exclude "Y" , then (Y) will be replaced with (!(Y)).

X AND NOT Y = (&(X)(!(Y)))

like the condition to get all users but not the managers where the final LDAP expression will look like this:

(&(objectCategory=person)(objectClass=user)(!(manager=*)))

Additional Information

Active Directory LDAP Syntax Filter

Powered by Wolken Software