Active Directory LDAP User Search Filter - Filter out memberOf specific group(s)

rpavlicek · October 20, 2019, 9:57pm

Under User Sources (in Gateway Settings > Config > Security > Users, Roles), we set up an Active Directory source to use LDAP. In the User Search Filter, what syntax can I use to narrow down to only look for users that are members of a specific group or groups of our Active Directory? In the User Search Base, I want to use the whole domain, so I would put (DC=companyname,DC=com). But I need to filter this down to users that are only part of a certain group in the User Search Filter. If I don’t, it takes a long time and seems to hang up since it’s looking at all users in AD. I’ve tried many things, but can’t get it to work.

I’m not referring about the Roles Filter section. I know how to narrow down to the Security Groups in AD for Ignition to search through in Roles.

Thanks.

Sonny_Vallgren · February 13, 2020, 9:00am

Did you solve it?
I’m struggling with exactly the same problem.

rpavlicek · February 13, 2020, 4:58pm

Yes, hopefully this helps you and others. The method that we needed to use was the User List Filter along with the User Listing Base and User Search Filter. It’s helps to get the DistinguishedName of the path to the OU you want to use (Like Sysinternals AD Explorer). I will describe the filters strings below.

#Use to narrow down which Organizational Units to search for. The more you use, the faster the audit roles will be. Being too broad can make it slower. To do this you combine your OU’s seperatley with parenthesis.
User Listing Base: (OU=SomeOU,DC=Domain,DC=com)(OU=SomeOtherOU,DC=Domain,DC=com)(OU=YetAnotherOU,DC=Domain,DC=com)

#This was the most important and needed help from IA support.
User List Filter:(&(objectCategory=person)(objectClass=user)(!(objectClass=computer))(|(memberOf=CN=YourOUGroup,OU=Security Groups,OU=SubsubFolderOU,OU=SubFolderOU,OU=MainOU,DC=Domain,DC=com)))

#Left this as default.
User Search Filter: (&(objectClass=user)(sAMAccountName={0}))

melwadeya · December 9, 2020, 4:20pm

Thanks for sharing the solution.

I am fairly new to AD, could you please confirm what OU actually is? is it the group name?
what are:

which parameters of the expression I should change to narrow AD query to 2 groups?

any help is greatly appreciated.

GPT · June 5, 2026, 4:56pm

Hello

First of all, thanks for providing this information. I am currently working in 8.3 version trying to set up AD purely where groups would determine the level of access.
For some reason, the way i have set it up only auth against the whole domain and not the group by default.
Below is my configuration. I attempted your method and still no luck. Several combination attempted and no luck. With service account.

User search base
(CN=APP_CS_DEV,OU=APP,OU=Groups,DC=GPT,DC=com)

User search filter
default

User list filter
(&(objectCategory=person)(objectClass=user)(!(objectClass=computer))(|(memberOf=CN=APP_CS_DEV,OU= APP,OU=Groups,DC=GPT,DC=com)))

Every other parameter is default in that regard. Domain is also auth with service account.

Any help is appreciated.

Ignition #LDAP #AD

michael.flagler · June 5, 2026, 7:44pm

Keep in mind the filters in the AD configuration only limit what you can see in the Ignition web interface. It does not limit who can log in in my experience. Login permissions are done via roles based on group access and will need to be configured separately.