{"id":43729,"date":"2026-03-11T14:43:12","date_gmt":"2026-03-11T11:43:12","guid":{"rendered":"https:\/\/trueconf.com/blog\/?p=43729"},"modified":"2026-03-11T14:43:12","modified_gmt":"2026-03-11T11:43:12","slug":"filtering-ldap-accounts","status":"publish","type":"post","link":"https:\/\/trueconf.com/blog\/knowledge-base\/filtering-ldap-accounts","title":{"rendered":"Filtering LDAP accounts"},"content":{"rendered":"<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">The <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc4511\" target=\"_blank\" rel=\"noopener\">LDAP protocol<\/a> is an effective tool for centralized management of account data in a corporate infrastructure.<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">You can learn more about the LDAP protocol and Microsoft Active Directory in our <a href=\"https:\/\/trueconf.com\/blog\/wiki\/active-directory-ldap\" target=\"_blank\" rel=\"noopener\">article<\/a>.<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">LDAP-compatible directory services (such as Active Directory, FreeIPA, or 389 Directory Server) support Single Sign-On: users receive a single account which enables them to access all corporate applications. This strategy reduces administrative overhead and improves user experiences.<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">Such solutions as TrueConf Server and its more advanced version TrueConf Enterprise are frequently used in corporate settings. They provide team messaging and video conferencing capabilities. In this case integration with LDAP directories can also be used. Detailed configuration of the TrueConf messenger is described in the <a href=\"https:\/\/trueconf.com\/docs\/server\/en\/admin\/accounts#ldap-mode\" target=\"_blank\" rel=\"noopener\">documentation<\/a>.<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">One should take into account that sometimes directories may contain service accounts (machine objects) and regular users who do not need access to certain services. TrueConf Server enables administrators to exclude such entries from synchronization. To do it,  you should configure various filters to define the group of users who will be synchronized from Active Directory.<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">To successfully find users, we can use two tools available in LDAP integration settings of TrueConf Server:<\/p>\r\n<ul class=\"ui-list ui-list--medium ui-mb-sm-1 ui-mt-xs-3\">\r\n    <li class=\"ui-list__item ui-list__item--num\"><b>Path (distinguishedName)<\/b> \u2014 the full unique name of an entry in the directory. With DN, you can select a group of users to be added to TrueConf Server (if LDAP integration is already configured on your server, you may skip this step).<\/li>\r\n    <li class=\"ui-list__item ui-list__item--num\"><b>Filter Disabled<\/b> \u2014 this parameter specifies the accounts that are disabled and will not be displayed on your TrueConf Server.<\/li>\r\n<\/ul>\r\n<h2 id=\"filter-config\" class=\"h4--main h4--thick black-text ui-mb-xs-3 ui-mt-md-1\">Filtering configuration with the help of DN<\/h2>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">To make sure that only certain users can access the features of TrueConf Server,  we recommend creating a separate group of objects in the directory service.<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">You can specify the group to be synchronized in the section Users \u2192 LDAP \/ Active Directory \u2192 LDAP Settings.<\/p>\r\n<a href=\"https:\/\/trueconf.com\/blog\/wp-content\/uploads\/2026\/03\/image4.png\" data-rel=\"lightbox-gallery-Pc1YUene\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" src=\"https:\/\/trueconf.com\/blog\/wp-content\/uploads\/2026\/03\/image4.png\" alt=\"\" width=\"1999\" height=\"1220\" class=\"alignnone size-full wp-image-43730\" loading=\"lazy\" title=\"\" srcset=\"https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image4.png 1999w, https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image4-690x421.png 690w, https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image4-1024x625.png 1024w, https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image4-768x469.png 768w, https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image4-1536x937.png 1536w\" sizes=\"auto, (max-width: 1999px) 100vw, 1999px\" \/><\/a>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">On the opened page, find the <b>Path (distinguishedName)<\/b> field and enter the parameters based on the data from the table:<\/p>\r\n<table style=\"overflow-x: auto; display: block;\" class=\"ui-mb-sm-1 ui-mt-xs-3\">\r\n   <thead>\r\n      <th style=\"padding: 8px 16px; text-align: left; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\"><strong>\r\n      Designation\r\n      <\/strong><\/th>\r\n      <th style=\"padding: 8px 16px; text-align: left; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\"><strong>\r\n      Explanation\r\n      <\/strong><\/th>\r\n      <th style=\"padding: 8px 16px; text-align: left; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\"><strong>\r\n      Purpose\r\n      <\/strong><\/th>\r\n   <\/thead>\r\n   <tbody>\r\n      <tr>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        dc\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        Domain Component\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        Part of the domain DNS name\r\n        <\/td>\r\n      <\/tr>\r\n      <tr>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        ou\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        Organizational Unit\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        Division, department, group\r\n        <\/td>\r\n        <tr>\r\n            <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n            cn\r\n            <\/td>\r\n            <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n            Common Name\r\n            <\/td>\r\n            <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n            General name of an object (person, group, service)\r\n            <\/td>\r\n        <\/tr>\r\n      <\/tr>\r\n   <\/tbody>\r\n<\/table>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">Based on this DN table, the <code>trueconf_users<\/code> group in the <code>example.com<\/code> domain will have the following entry:<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\"><code>cn=trueconf_users,ou=Groups,dc=example,dc=com<\/code> &#8211; AD, FreeIPA \/ ALD Pro, 389 Directory Server, OpenLDAP<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">If you are unable to determine the DN of your group, or if your directory tree differs significantly from the one shown here, use the terminal (console) on the machine where the directory service is installed. Run the following commands and you will see a detailed description of the DN for your group:<\/p>\r\n<ul class=\"ui-list ui-list--medium ui-mb-sm-1 ui-mt-xs-3\">\r\n    <li class=\"ui-list__item ui-list__item--disc\"><code>Get-ADGroup group_name | Select-Object DistinguishedName<\/code> \u2014 AD (run in Windows Powershell)<\/li>\r\n    <li class=\"ui-list__item ui-list__item--disc\"><code>ipa group-show group_name --raw<\/code> \u2013 FreeIPA\/ALD Pro (in the Linux console)<\/li>\r\n    <li class=\"ui-list__item ui-list__item--disc\"><code>ldapsearch -x -H ldap:\/\/your-ldap-server \\\r\n  -D \"bind_dn\" -W \\\r\n  -b \"dc=example,dc=com\" \\\r\n  \"(cn=group_name)\" dn<\/code> \u2014 for any LDAP server on Windows and Linux<\/li>\r\n<\/ul>\r\n<div class=\"accent-note accent-note--line ui-mb-sm-1 ui-mt-xs-3\"><p class=\"primary-medium-text\">\r\nwhere <code>group_name<\/code> is the name of your group.\r\n<\/p><\/div>\r\n \r\n<pre class=\"lang:default decode:true \" >ldapsearch -x -H ldap:\/\/localhost   -D \"cn=admin,dc=example,dc=com\" -W   -b \"dc=example,dc=com\"   \"(cn=group_name)\" dn\r\nEnter LDAP Password:\r\n# extended LDIF\r\n\r\n# LDAPv3\r\n# base &lt;dc=example,dc=com&gt; with scope subtree\r\n# filter: (cn=group_name)\r\n# requesting: dn\r\n\r\n# search result\r\nsearch: 2\r\nresult: 0 Success\r\n\r\n# numResponses: 1\r\n<\/pre> \r\n\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">For more details, please refer to the relevant documentation on directory services.<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">Once you have successfully connected to a directory service via LDAP, you can select a group by clicking on the <b>Browse<\/b> button.<\/p>\r\n<h2 id=\"custom-filter\" class=\"h4--main h4--thick black-text ui-mb-xs-3 ui-mt-md-1\">Use of a custom filter<\/h2>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">Sometimes, a group, whose users need to be synchronized with TrueConf Server, has service accounts that cannot be disabled or moved. In this case you can configure the use of filters on the side of TrueConf Server.<\/p>\r\n<div class=\"accent-note accent-note--line ui-mb-sm-1 ui-mt-xs-3\"><p class=\"primary-medium-text\">\r\nTo learn how a filter can be created, refer to the official Active Directory documentation.\r\n<\/p><\/div>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">You can also use the table constructor below to create a filter. In particular, you can take required parameters from this table and insert your data.<\/p>\r\n<h3 id=\"builder\" class=\"h5--main h5--thick black-text ui-mb-xs-3 ui-mt-md-1\">LDAP filter builder<\/h3>\r\n<table style=\"overflow-x: auto; display: block;\" class=\"ui-mb-sm-1 ui-mt-xs-3\">\r\n   <thead>\r\n      <tr>\r\n        <th style=\"padding: 8px 16px; text-align: left; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\"><strong>\r\n        Filtration\r\n        <\/strong><\/th>\r\n        <th style=\"padding: 8px 16px; text-align: left; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\"><strong>\r\n        Filter\r\n        <\/strong><\/th>\r\n      <\/tr>\r\n   <\/thead>\r\n   <tbody>\r\n      <tr>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        Search for users\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        <code>(objectClass=user)<\/code> &#8211; only for AD<br><code>(objectClass=inetOrgPerson)<\/code> &#8211; only for OpenLDAP\r\n        <\/td>\r\n      <\/tr>\r\n      <tr>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        Only active accounts\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        <code>(!(userAccountControl:1.2.840.113556.1.4.803:=2))<\/code> &#8211; only for Active Directory\r\n        <\/td>\r\n      <\/tr>\r\n      <tr>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        Member of a specific group\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        <code>(memberOf=CN=tcusers,OU=Groups,DC=example,DC=com)<\/code>\r\n        <\/td>\r\n      <\/tr>\r\n      <tr>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        There must be an email address\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        <code>(mail=*)<\/code>\r\n        <\/td>\r\n      <\/tr>\r\n      <tr>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        Specific email\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        <code>(mail=test@example.com)<\/code>\r\n        <\/td>\r\n      <\/tr>\r\n      <tr>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        The username contains the keyword\r\n        <\/td>\r\n        <td style=\"padding: 8px 16px; border: 1px solid #d7d8d8; vertical-align: middle;\" class=\"primary-smallest-text\">\r\n        <code>(cn=*test*)<\/code>\r\n        <\/td>\r\n      <\/tr>\r\n   <\/tbody>\r\n<\/table>\r\n<div class=\"accent-note accent-note--line accent-note--special ui-mb-sm-1 ui-mt-xs-3\"><p class=\"primary-medium-text\">\r\nThe <code>memberOf<\/code> parameter has to match the group selected for synchronization on the side of TrueConf Server.\r\n<\/p><\/div>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">For example, here is a filter that will find all active users from the Developers group in Active Directory if their names include the <code>test<\/code> substring:<\/p>\r\n \r\n<pre class=\"lang:default decode:true \" >(&amp;\r\n  (objectClass=user)\r\n  (cn=*test*)\r\n  (memberOf=CN=Developers,OU=Groups,DC=example,DC=com)\r\n  (!(userAccountControl:1.2.840.113556.1.4.803:=2))\r\n)\r\n<\/pre> \r\n\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">(the filter can also be written in a single line without line breaks)<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">After the filter has been created, go to <code>Users \u2192 LDAP \/ Active Directory \u2192 LDAP Settings<\/code>, open the <code>Advanced<\/code> tab, and enter the filter you created earlier, in the <b>Filter Disabled<\/b> field.<\/p>\r\n<a href=\"https:\/\/trueconf.com\/blog\/wp-content\/uploads\/2026\/03\/image1.png\" data-rel=\"lightbox-gallery-Pc1YUene\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" src=\"https:\/\/trueconf.com\/blog\/wp-content\/uploads\/2026\/03\/image1.png\" alt=\"\" width=\"1999\" height=\"1143\" class=\"alignnone size-full wp-image-43731\" loading=\"lazy\" title=\"\" srcset=\"https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image1.png 1999w, https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image1-690x395.png 690w, https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image1-1024x586.png 1024w, https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image1-768x439.png 768w, https:\/\/trueconf.com/blog\/wp-content\/uploads\/2026\/03\/image1-1536x878.png 1536w\" sizes=\"auto, (max-width: 1999px) 100vw, 1999px\" \/><\/a>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">After you apply new settings, only users, who match the specified filter, will be added to the server.<\/p>\r\n<p class=\"primary-medium-text ui-mb-sm-1 ui-mt-xs-3\">For a better understanding of the topic, we recommend reviewing the documentation provided by your directory service provider.<\/p>\r\n<div class=\"accent-note accent-note--line ui-mb-sm-1 ui-mt-xs-3\"><p class=\"primary-medium-text\">\r\nIn addition to the Filter Disabled parameter, there are other parameters such as Filter Login, Filter CallID, and Filter Group. There is no need to change them because they are used to specify which entries in the directory service will be considered a user or group.\r\n<\/p><\/div>\r\n","protected":false},"excerpt":{"rendered":"The LDAP protocol is an effective tool for centralized management of account data in a corporate infrastructure. You can learn more about the LDAP protocol and Microsoft Active Directory in our article. LDAP-compatible directory services (such as Active Directory, FreeIPA, or 389 Directory Server) support Single Sign-On: users receive a single account which enables them [&hellip;]","protected":false},"author":79,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[260],"tags":[237],"class_list":["post-43729","post","type-post","status-publish","format-standard","hentry","category-knowledge-base","tag-integration-with-it-services","no-wpautop"],"_links":{"self":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/43729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/users\/79"}],"replies":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/comments?post=43729"}],"version-history":[{"count":1,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/43729\/revisions"}],"predecessor-version":[{"id":43732,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/43729\/revisions\/43732"}],"wp:attachment":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/media?parent=43729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/categories?post=43729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/tags?post=43729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}