Best way to filter out LDAP users

I am using an LDAP - Active Directory to authenticate users for a project of mine.

I currently have 2 login pages - 1 is intended for students, the other for staff.

I have managed to write an authentication script to bind to the LDAP server - this works for all users stored on the LDAP server.

Now i want to be able to filter out students from staff, allowing only staff to login via the "staff login page".

The DN looks something like the following:

cn=USERNAME,ou=DEPT,ou开发者_运维知识库=MAS,ou=LAN,o=UNI  <-- STAFF
cn=USERNAME,ou=DEPT,ou=STUDENT,ou=LAN,o=UNI <-- STUDENT

How can i go about filtering out ou=STUDENT or something to stop students from being able to login via the new Staff authentication script?

Thankyou

---

To prevent student from being able to login via the new Staff authentication script, you can just change the base of you LDAP search. In spite of searching the UPN in the whole directoryn you searche the UPN from ou=MAS,ou=LAN,o=UNI.

With LDIFDE.EXE it would give :

ldifde -f c:\temp\user.ldf -d "ou=MAS,ou=LAN,o=UNI" -r "(userPrincipalName=login)"

So the search don't return anything if the user is a student.

On absolute LDAP it exists a filter syntax called ExtensibleMatch which allow you to do that, but it does work in AD.