Create an LDAP query


The Active Directory connector pulls user information from your company’s Active Directory database to populate Genesys Cloud profile fields. Active Directory databases contain more than just users, so the connector uses an LDAP query to sort people from non-people. Since every organization’s Active Directory is different, there is no one-size-fits-all LDAP query that works everywhere. 

You can create an LDAP query using the tools in Genesys Cloud’s self-service interface, or you can make your own. Use the instructions here to make your own query that you can paste into the LDAP Query field when configuring the connector. We recommend finding the LDAP query that works best for you using LDIFDE Export. LDIFDE is a free tool provided by Microsoft for running on their servers. See the LDIFDE site for details.

  1. Collect the parameter values for your LDIFDE Export command:

    • Server name
    • Root of LDAP search
    • Search scope
    • Comma-separated attributes list
  2. Create the LDIFDE Export command for testing the query.

    1. Create a command to export to a file. This dumps your whole Active Directory database into a file, which can be useful for sending to Genesys Cloud to troubleshoot LDAP query issues.

      ldifde -f ExportUser.ldf
    2. Include the LDAP query:

      ldifde -r "LDAP query" -f ExportUser.ldf
    3. Include the LDAP search root:

      ldifde -r "LDAP query" -f ExportUser.ldf -d "dc=Export,dc=com"
    4. Include the server:

      ldifde -r "LDAP query" -f ExportUser.ldf -d "dc=Export,dc=com" -s Server1
    5. Include a comma-separated attributes list:

      ldifde -r "LDAP query" -f ExportUser.ldf -d "dc=Export,dc=com" -s Server1 -l "cn,givenName,objectclass,samAccountName"
    6. Include the search scope:

      ldifde -r "LDAP query" -f ExportUser.ldf -d "dc=Export,dc=com" -s Server1 -l "cn,givenName,objectclass,samAccountName" -p subtree
  3. Test your LDIFDE Export command by starting with a simple LDAP query.

    For example, start with all users who have an email address:

    (&(objectCategory=User)(mail=*))

    You may find that the number of entries returned exceeds the number of people in your organization because printers, conference rooms, guest users, etc. can also be returned.

  4. Expand the query incrementally until it returns only the wanted users. For example:

    Active users with email:

    &(objectCategory=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*)(!sAMAccountName=jdk82))

    Regular user, user, and active:

    (&(samAccountType=805306368)(objectCategory=User)(!userAccountControl:1.2.840.113556.1.4.803:=2))

    Users who are persons AND specific Exchange property set to true AND company and email address cannot be blank AND the manager field cannot be blank:

    (&(objectCategory=person)(objectClass=user)(!(msExchHideFromAddressLists=TRUE))(company=*)(mail=*)(|(manager=*)))
  5. Expand the query to include the CEO (or any person in your organization without a manager). 

    Users who are persons AND specific Exchange property set to true AND company and email address cannot be blank AND the manager field cannot be blank unless the user’s name is Mr. Brown:

    (&(objectCategory=person)(objectClass=user)(!(msExchHideFromAddressLists=TRUE))(company=*)(mail=*)(|(manager=*)(name=Mr. Brown)))

    The operation (|(manager=*)(name=Mr. Brown)) means that either manager=* or name=Mr. Brown must be true.

  6. Optionally, restrict the query to a group within LDAP. Use the membership attribute memberof:1.2.840.113556.1.4.1941 in the LDAP query to perform a nested search. For example:

    (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=TestGroup,ou=Groups,ou=CompanyUsers,dc=test,dc=corp))
  7. Save the LDAP query to input when configuring the Active Directory Bridge Connector.