Incomplete Results when Using LDAP Search Filter in Active Directory

41 views Asked by At

I am currently facing an issue while querying Active Directory using the LDAP search filter.

This is function:

def get_domain_users(conn):
    search_filter = '(&(objectClass=user)(objectCategory=person)(!(sAMAccountName=*$))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
    attributes = ['userAccountControl','displayName', 'sAMAccountName', 'mail', 'whenCreated', 'whenChanged', 'lastLogontimeStamp',
        'sAMAccountType', 'memberOf']

    conn.search(config['base_dn'], search_filter, SUBTREE, attributes=attributes)
    domain_users = []
    for entry in conn.entries:
        user_info = {
            'source.uac': get_account_type(entry['userAccountControl'].value)[1],
            'source.display_name': entry.displayName.value,
            'source.mail': entry.mail.value,
            'ad.memberOf': entry.memberOf.value,
            'ad.SamAccountName': entry.sAMAccountName.value,
            'ad.SamAccountType': get_sam_acc_type(entry.sAMAccountType.value)[1],
            'ad.whenCreated': str(entry.whenCreated.value),
            'ad.whenChanged': str(entry.whenChanged.value),
            'ad.lastLogonTime': str(entry.lastLogontimeStamp.value)
        }
        domain_users.append(user_info)
    return domain_users

This is conenction:

server = Server(config['ldap_server'], get_info=ALL)
conn = Connection(server, user=config['ldap_user'], password=config['ldap_password'], auto_bind=True)

This is config:

'ldap_server': 'ldap://IP:389',
'ldap_user': 'user',
'ldap_password': 'password',
'base_dn': 'DC=ORG,DC=COM'

ldap3 version is 2.9.1

Python 3.9.16

The problem I'm encountering is that this search filter doesn't return all the user records in Active Directory, even though there are users within the specified search_base. I've ensured that the filter is correctly constructed to fetch enabled users without a blank sAMAccountName or with a specific userAccountControl setting.

Despite these conditions, the search results are incomplete, and some user records are not being returned. I'm puzzled as to why this might be happening. Are there any limitations or specific configurations in Active Directory that might cause this behavior? Or is there a better approach to construct the search filter to ensure that all relevant user records are retrieved?

I appreciate any insights or suggestions on how to modify the search filter or consider other factors that might be causing this issue. Thank you!

0

There are 0 answers