Problem

At the moment the Insight LDAP import does not allow to import users or groups from a specific Organization Unit (OU) if those are directly located under the root/Base DN of the LDAP/AD server tree.

Cause

This can happen in situations where in the general Insight LDAP import configuration, the Base DN and Search Filter set to refer to all the object types/selectors retrieved from the server:

The solution for this is to select the multiple OUs in the object type mapping for users or groups in the Selector config. However, at the moment the Insight LDAP integration only allows one OU set for each selector (e.g ou=users):

Workarounds

There are three workarounds available to overcome this. For example, let's apply the workaround in the situation where there are have 2 OUs, users and customers just under LDAP Base DN.

Workaround 1:

Create an object type for each OU, one for Users and one for Customers. Then define multiple object type mappings in the import config and set the scope of LDAP as the selector. For this scenario, it will be ou =users for object type users and ou=customers for object type customers.

Workaround 2:

Configure multiple LDAP imports pointing to the same LDAP Server and in each of them configure a different selector OU for the same object type so that both of them will be imported in them over the same object type. However this option needs to be carefully tested first over a dummy schema, as the import options (ex. the Missing objects set to Update or Delete) could remove the objects imported from one import.

Workaround 3:

Move all the OUs from the Base DN into an additional parent OU under the Base DN in your LDAP/AD Server. E.g.:

This way admins will be setting OU parent in the selector of users mapping object type configuration and Insight would fetch users from both the OUs.

For more info about the missing feature please check also:

• JSDSERVER-11161 - Getting issue details... STATUS