Join 34,000+ subscribers and receive articles from our blog about software quality, testing, QA and security.

Mulitiple OUs in Generic LDAP


I am trying to setup Ldap for TestRail.

I would like to get users from multiple OUs.

define(‘AUTH_DN’, ‘OU=DEV,DC=DV,DC=HGN’);
define(‘AUTH_DN’, ‘OU=QA,DC=DV,DC=HGN’);

It works for QA users if I set the OU to QA and for Dev users if I set the OU to Dev.

How do I get it to work for both?


Hello Cynthia,

Thanks for your posting. You can simply specify the AUTH_DN option without the OU and then filter for group memberships later as part of the script (and then match both QA or DEV). For example, the Active Directory script contains an example for this (AUTH_MEMBERSHIP) and this can look similar with LDAP:

Please let us know in case you have any questions, we are happy to help.



Does this mean, the LDAP version would be slightly different? We’ve hit this snag with our LDAP’s having almost completely different OU’s DC’s and CN’s.

Trying to figure out the easiest way to do it. We have no worries about restricting permissions and the most open method would do.


Hi Steven,

Are you using a generic LDAP server or Active Directory? For Active Directory we would recommend our related Active Directory script instead.

With a generic LDAP server you would be able to specify the AUTH_DN options similar to our AD script, but there’s no ready-to-use membership option in our generic LDAP script, as this would work differently with different LDAP systems. You can however freely customize the script for your needs. All the related LDAP logic and details are stored in the auth.php script so you can freely customize and adjust it for your needs.


Thanks for the reply

I checked with our IT and we do use Active Directory and using the active directory script.

We have the ldap_set_option($handle, LDAP_OPT_REFERRALS, 0) in place under the protocol version too.

The snag we’ve hit is the only commonality between our users, or lack of.
DC=ad DC=ea & DC=com are the only ones of common.

the remaining OU’s and DC’s are all different and our domains are different too.

We aren’t concerned about security because ldap is the only way to access the tool and our host is isolated from everything else.


Hi Steven,

Thanks for the feedback. This isn’t a problem as it’s quite common that teams have different OUs etc. where different users are stored. You would just need to specify the highest common node as part of the AUTH_DN option. Active Directory would search for the user via the LDAP query TestRail sends within all nodes below this AUTH_DN. So users can be in different OUs etc., and this wouldn’t be a problem.