LDAP with 2 OU


I want to connect Nuxeo with our LDAP. But persons are saved in several “OU”. How can I do it ? I try with “multi-users-directory” but it doesn't work.

I create a file default-ldap-users-directory-bundle.xml with configuration of ldap :

  • 1 directory for OU=firstOU
  • 1 directory for OU=secondOU

Then I create a file default-multi-users-directory-bundle.xml with that :

<component name="org.nuxeo.ecm.directory.multi.config">
  <extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
    <directory name="userDirectory">
      <source name="userLDAPSourceFirst" creation="false">
        <subDirectory name="firstOU"/>
      <source name="userLDAPSourceSecond" creation="false">
        <subDirectory name="secondOU"/>

I can connecte with firstOU and in adminCenter I can see persons of firstOU. But it doesn't work for seondOU. In server.log, I have an error :

ERROR [org.nuxeo.ecm.platform.login.NuxeoLoginModule] createIdentity failed
javax.security.auth.login.LoginException: principal Administrator does not exist
     at org.nuxeo.ecm.platform.login.NuxeoLoginModule.createIdentity(NuxeoLoginModule.java:300) ...

Can anyone help me ? Has anyone an exemple of that ? Thank you in advance.

0 votes

1 answers



You can point the searchBaseDN to the common root of the 2 OUs and then set searchScope to subtree.

You should also use searchFilter to a valid LDAP filter expression to filterout the unwanted entries based on attributes such as for instance:


Note that for this filter to work you need all the entries to actually have the ou attributes stored and indexed (not just the dn).

You can check the LDAP filter syntax for more complex filtering options. I would advise you to use a tool such as Apache Directory Studio to simulate the right baseDN / scope / filters combo that works for you.

0 votes

Thanks for your help.<br/> I use Apache Directory Studio for testing my query. But I don't manage to search in OU of person because this data isn't stored (just dn).<br/> Do you know how configure OU on person in Active Directory ? Some persons are in a tree like OU=Societe, OU=Service, OU=Sous-service