Distinguished Name (DN) Filter for Active directory
Starting in JIMS release 1.3, you can configure JIMS to exclude an entire domain using Distinguished Name (DN) exclusion filter. DN filter includes a list of regular expressions. DN filter applies these regular expressions on the ingress of user information from Active Directory (AD). When JIMS reads any DN from the Active Directory and matches the specified regular expression, JIMS discards the DN and does not attempt to pursue or await further information about the DN. For example, if a group in domain1.net has a user in domain2.net, and regular expression in the DN filter is .*DC=domain2,DC=net, then JIMS does not attempt to contact an AD about a user in domain2. JIMS is not designed to query users in a universal and global group that JIMS is not directly connected to. Use DN filter to avoid these domains.
There are some side effects of using DN filter. If you are matching at the OU level using DN Filters, and you want to move a user from an OU that is not filtered to an OU that is filtered out, when you move the user, the cached user remains in the first group as the user update will be suppressed by the filter. Future group updates will drop the user from those groups. Restarting the JIMS service will reset the mapping. If you need to regularly filter on OUs and move users, contact Juniper Account Team.
After specifying the DN filter, you need to restart JIMS to let JIMS read all the user information and exclude the domains in the DN filter.
Navigate to Settings>DN Filters and follow the steps to add, delete, or edit the DN Filters regular expression such as .*DC=Domain, DC=com.* :
- To add a DN regular expression in the DN Filters area, click Add. The Distinguished Name Filter page appears. Enter the regular expression and click OK.
- To edit an existing regular expression, select the DN in the list and click Edit. The Distinguished Name Filter page appears. Edit the DN regular expression and click OK.
- To delete a DN regular expression in the Distinguished Name Filter area, click Delete.