A new feature was recently added in the 2.5.914 version that can assist with creating a custom filter for the LDAP query that TPAM sends to Active Directory.
The description below has been take the Admin Guide on page 146
and can also be seen in the question bubble next to the Filter in the web interface.
Using LDAP filter syntax, you can narrow the results of the Distinguished Name entry. The filter is wrapped with a standard filter used to return only computers or users based on the type of LDAP mapping. The standard filter syntax is included in the listing above once you enter any text into the filter, but you cannot edit any part of the standard filter. The filter you enter will be validated for basic syntax as you edit, but the content is not checked until the Distinguished Name is validated. Valid/invalid syntax will be indicated with a green check mark or red X to the left of the text.
The basics of the filter syntax are as follows:
- Must start with (, end with ) and contain one or more comparison conditions.
- May group comparisons inside of (&…) (AND), (|…) (OR), (!…) (NOT).
- Comparison conditions must be surrounded by parentheses in the form (attribute operator value).
- operator may be = (equal to), ~= (approximately equal to), <= (less than or equal), or >= (greater than or equal).
- Subfilters may be nested within another ([&|!]...) construct.
Example: (&(sn=Smith)(description=Maine*)(|(cn=Tom)(cn=Dick)(cn=Harry))) - surname (sn)=Smith AND description starts with "Maine" AND common name (cn)=Tom, Dick or Harry
Example to ignore an OU: (&(&(ou>="")(objectCategory=organizationalUnit)(objectClass=organizationalUnit)(!ou=Defender)))