CONFIGURING
For servers that use directory assistance to search a remote LDAP directory, you can control which LDAP search filters are used to search the directory. Use the Type of search filter to use field in the Directory Assistance document for the directory whose to control which LDAP search filters are used to search the directory.
About this task
You specify which LDAP search filters are used to search the directory in the Type of search filter to use field in the Directory Assistance document for the directory whose search filters you want control.
Table 1. LDAP search filter options
Note: Each attribute in a search filter should be indexed in Active Directory. Otherwise search performance is slow and search results can be unreliable.
This option replaces the Release 5 NOTES.INI setting WebAuth_AD_Group, which allowed for searches of Active Directory groups.
Defining custom search filters
You might need to define custom search filters if searches are not returning results or are returning results for the wrong entries. This situation can occur if the remote LDAP directory server uses a nonstandard schema. Typically, custom filters are targeted at a particular attribute that can be used to produce unique, efficient matches - unique in that the attribute value is different for each entry, efficient in that there is an index or some other fast mechanism to ensure quick searches.
To define custom search filters, you should be familiar with valid search filter syntax described in RFCs 2251 and 2254.
Select Custom in the Type of search filter to use field and specify how you want to define the custom search filter:
Table 2. Fields used to define the custom search filters
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))
If a user specified "Pat Smith" in a mail recipient field, the resulting filter used on the LDAP search request would be:
(|(cn=Pat Smith)(|(&(sn=Pat)(givenname=Smith))(&(sn=Smith)(givenname=Pat))))
You may want to customize the mail filter if users always type in their UID attribute in a mail recipient field. The custom filter would look similar to the following:
(uid=%*)
With this filter, if a user specified BAK12345 in a mail recipient field the resulting filter used on the LDAP search request would be:
(uid=BAK12345)
If a user specified "Maryanne Brown" in the HTTP login prompt, the resulting filter used on the LDAP search request would be:
(|(cn=Maryanne Brown)(|(&(sn=Maryanne)(givenname=Brown))(&(sn=Brown)(givenname=Maryanne))))
You may want to customize the authentication filter if users typically specify their employee ID or mail attribute at the login prompt. In this case, the custom filter would look similar to:
(|(employeeID=%*)(mail=%*))
So, if a user specified "MB12345" at the login prompt, the resulting filter used on the LDAP search request would be:
(|(employeeID=AS12345)(mail=AS12345))
(|(&(objectclass=groupOfUniqueNames)(UniqueMember=%*))(&(objectclass=groupOfNames)(Member=%*)))
In this case, a membership lookup on "cn=June Day,ou=Westford,o=Renovations" would result in the following filter on the search request:
(|(&(objectclass=groupOfUniqueNames)(UniqueMember=cn=June Day,ou=Sales,o=Renovations))(&(objectclass=groupOfNames)(Member=cn=June Day,ou=Sales,o=Renovations)))
If the LDAP server that is enabled for ACL group expansion stores the groups with an objectClass of aclGroup, then you may want to specify the following custom filter:
(&(objectclass=aclGroup)(Member=%*))
In this case a membership lookup on "cn=June Day,ou=Sales,o=Renovations" would use the following filter on the LDAP search request:
(&(objectclass=aclGroup)(Member=cn=June Day,ou=Sales,o=Renovations))
Syntax for custom LDAP search filters
To define a custom search filter, insert parameters into standard LDAP search filters to represent a part of the names being searched for.
Table 3. Parameters to use in standard LDAP search filters
Example
Table 4. Examples of custom LDAP search filters
(cn=Alex M Davidson)(mail=""))
Related concepts Setting up directory assistance
Related tasks Creating a Directory Assistance document for a remote LDAP directory