Domino Consulting - HCL Domino Administrator 11.0.1 Help

CONFIGURING

Configuring search filters in a Directory Assistance document for a remote LDAP directory

For servers that use directory assistance to search a remote LDAP directory, you can control which LDAP search filters are used to search the directory. Use the Type of search filter to use field in the Directory Assistance document for the directory whose to control which LDAP search filters are used to search the directory.

About this task

You specify which LDAP search filters are used to search the directory in the Type of search filter to use field in the Directory Assistance document for the directory whose search filters you want control.

Table 1. LDAP search filter options

Search filter option Description

Standard LDAP (Default) Uses standard LDAP search filters that work with most LDAP directory servers.

Active Directory Uses predefined search filters that work with Active Directory servers. Select this option if the remote LDAP directory is Active Directory.
Note: Each attribute in a search filter should be indexed in Active Directory. Otherwise search performance is slow and search results can be unreliable.
This option replaces the Release 5 NOTES.INI setting WebAuth_AD_Group, which allowed for searches of Active Directory groups.

Custom Use to define your own search filters.

Defining custom search filters

About this task

You might need to define custom search filters if searches are not returning results or are returning results for the wrong entries. This situation can occur if the remote LDAP directory server uses a nonstandard schema. Typically, custom filters are targeted at a particular attribute that can be used to produce unique, efficient matches - unique in that the attribute value is different for each entry, efficient in that there is an index or some other fast mechanism to ensure quick searches.

To define custom search filters, you should be familiar with valid search filter syntax described in RFCs 2251 and 2254.

Select Custom in the Type of search filter to use field and specify how you want to define the custom search filter:

Table 2. Fields used to define the custom search filters

Custom search filter field Description

Mail Filter If directory assistance is configured so that HCL Notes® users can look up mail addresses in the directory, this search filter is used to look up the names in the directory. Leave the field blank to use the following default search filter:
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))
If a user specified "Pat Smith" in a mail recipient field, the resulting filter used on the LDAP search request would be:
(|(cn=Pat Smith)(|(&(sn=Pat)(givenname=Smith))(&(sn=Smith)(givenname=Pat))))
You may want to customize the mail filter if users always type in their UID attribute in a mail recipient field. The custom filter would look similar to the following:
(uid=%*)
With this filter, if a user specified BAK12345 in a mail recipient field the resulting filter used on the LDAP search request would be:
(uid=BAK12345)

Authentication Filter If directory assistance is configured to trust a remote LDAP directory for client authentication, this filter is used to look up a name in the directory. Leave the field blank to use the following default search filter:
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))
If a user specified "Maryanne Brown" in the HTTP login prompt, the resulting filter used on the LDAP search request would be:
(|(cn=Maryanne Brown)(|(&(sn=Maryanne)(givenname=Brown))(&(sn=Brown)(givenname=Maryanne))))
You may want to customize the authentication filter if users typically specify their employee ID or mail attribute at the login prompt. In this case, the custom filter would look similar to:
(|(employeeID=%*)(mail=%*))
So, if a user specified "MB12345" at the login prompt, the resulting filter used on the LDAP search request would be:
(|(employeeID=AS12345)(mail=AS12345))

Authorization Filter Specify a search filter to use to look up the members of groups for Notes database authorization. Leave the field blank to use the following default search filter:
(|(&(objectclass=groupOfUniqueNames)(UniqueMember=%*))(&(objectclass=groupOfNames)(Member=%*)))
In this case, a membership lookup on "cn=June Day,ou=Westford,o=Renovations" would result in the following filter on the search request:
(|(&(objectclass=groupOfUniqueNames)(UniqueMember=cn=June Day,ou=Sales,o=Renovations))(&(objectclass=groupOfNames)(Member=cn=June Day,ou=Sales,o=Renovations)))
If the LDAP server that is enabled for ACL group expansion stores the groups with an objectClass of aclGroup, then you may want to specify the following custom filter:
(&(objectclass=aclGroup)(Member=%*))
In this case a membership lookup on "cn=June Day,ou=Sales,o=Renovations" would use the following filter on the LDAP search request:
(&(objectclass=aclGroup)(Member=cn=June Day,ou=Sales,o=Renovations))

To define custom search filters, you should be familiar with valid search filter syntax described in RFCs 2251 and 2254.

Syntax for custom LDAP search filters

About this task

To define a custom search filter, insert parameters into standard LDAP search filters to represent a part of the names being searched for.

Table 3. Parameters to use in standard LDAP search filters

Name part Defined as Example of name part (in bold) Parameter to insert to represent name part

First name The set of characters from the first character to the first space or punctuation Alex M Davidson %a

Last name The set of characters from the last space or punctuation to the last character Alex M Davidson %z

Whole name The entire name Alex M Davidson %*

Local part Local part of an RFC 822 mail address amd@renovations.com %l

Domain part Domain part of an RFC 822 mail address amd@renovations.com %d

Any string value The string value of the attribute or object that is being searched for. For example, if a search contains a filter where "uid=%s", then the name part represented by %s in this case is amd. %s

Example

Table 4. Examples of custom LDAP search filters

Name searched for Search filter formula in Directory Assistance document Search filter used to search for the name

Alex M Davidson (|(givenname=%a)(sn=%z) (cn=%*)(mail=%l)) (|(givenname=Alex)(sn=Davidson)
(cn=Alex M Davidson)(mail=""))

amd (EmpID=%*) (EmpID=amd)

amd (EmpID=%*) (EmpID="")

amd (mail=%*@renovations.com) (mail=amd@renovations.com)

amd (mail=%*@*) (mail=amd@*)

amd@renovations.com (mail=*@%d) (mail=*@renovations.com)

amd@renovations.com (mail=%*) (mail=amd@renovations.com)

amd@renovations.com (uid=%l) (uid=amd)

blue (color=%*) (color=blue)

Related concepts
Setting up directory assistance

Help on Help

All Help Contents

Help on Help

All Help Contents

Search filter option	Description
Standard LDAP (Default)	Uses standard LDAP search filters that work with most LDAP directory servers.
Active Directory	Uses predefined search filters that work with Active Directory servers. Select this option if the remote LDAP directory is Active Directory. Note: Each attribute in a search filter should be indexed in Active Directory. Otherwise search performance is slow and search results can be unreliable. This option replaces the Release 5 `NOTES.INI` setting `WebAuth_AD_Group`, which allowed for searches of Active Directory groups.
Custom	Use to define your own search filters.

Custom search filter field	Description
Mail Filter	If directory assistance is configured so that HCL Notes® users can look up mail addresses in the directory, this search filter is used to look up the names in the directory. Leave the field blank to use the following default search filter: `(\|(cn=%)(\|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))` If a user specified "Pat Smith" in a mail recipient field, the resulting filter used on the LDAP search request would be: `(\|(cn=Pat Smith)(\|(&(sn=Pat)(givenname=Smith))(&(sn=Smith)(givenname=Pat))))` You may want to customize the mail filter if users always type in their UID attribute in a mail recipient field. The custom filter would look similar to the following: `(uid=%)` With this filter, if a user specified `BAK12345` in a mail recipient field the resulting filter used on the LDAP search request would be: `(uid=BAK12345)`
Authentication Filter	If directory assistance is configured to trust a remote LDAP directory for client authentication, this filter is used to look up a name in the directory. Leave the field blank to use the following default search filter: `(\|(cn=%)(\|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))` If a user specified "Maryanne Brown" in the HTTP login prompt, the resulting filter used on the LDAP search request would be: `(\|(cn=Maryanne Brown)(\|(&(sn=Maryanne)(givenname=Brown))(&(sn=Brown)(givenname=Maryanne))))` You may want to customize the authentication filter if users typically specify their employee ID or mail attribute at the login prompt. In this case, the custom filter would look similar to: `(\|(employeeID=%)(mail=%*))` So, if a user specified "MB12345" at the login prompt, the resulting filter used on the LDAP search request would be: `(\|(employeeID=AS12345)(mail=AS12345))`
Authorization Filter	Specify a search filter to use to look up the members of groups for Notes database authorization. Leave the field blank to use the following default search filter: `(\|(&(objectclass=groupOfUniqueNames)(UniqueMember=%))(&(objectclass=groupOfNames)(Member=%)))` In this case, a membership lookup on "cn=June Day,ou=Westford,o=Renovations" would result in the following filter on the search request: `(\|(&(objectclass=groupOfUniqueNames)(UniqueMember=cn=June Day,ou=Sales,o=Renovations))(&(objectclass=groupOfNames)(Member=cn=June Day,ou=Sales,o=Renovations)))` If the LDAP server that is enabled for ACL group expansion stores the groups with an objectClass of aclGroup, then you may want to specify the following custom filter: `(&(objectclass=aclGroup)(Member=%*))` In this case a membership lookup on "cn=June Day,ou=Sales,o=Renovations" would use the following filter on the LDAP search request: `(&(objectclass=aclGroup)(Member=cn=June Day,ou=Sales,o=Renovations))`

Name part	Defined as	Example of name part (in bold)	Parameter to insert to represent name part
First name	The set of characters from the first character to the first space or punctuation	Alex M Davidson	%a
Last name	The set of characters from the last space or punctuation to the last character	Alex M Davidson	%z
Whole name	The entire name	Alex M Davidson	%*
Local part	Local part of an RFC 822 mail address	amd@renovations.com	%l
Domain part	Domain part of an RFC 822 mail address	amd@renovations.com	%d
Any string value	The string value of the attribute or object that is being searched for.	For example, if a search contains a filter where "uid=%s", then the name part represented by %s in this case is amd.	%s

Name searched for	Search filter formula in Directory Assistance document	Search filter used to search for the name
Alex M Davidson	`(\|(givenname=%a)(sn=%z) (cn=%*)(mail=%l))`	`(\|(givenname=Alex)(sn=Davidson)` `(cn=Alex M Davidson)(mail=""))`
amd	`(EmpID=%*)`	`(EmpID=amd)`
amd	`(EmpID=%*)`	`(EmpID="")`
amd	`(mail=%*@renovations.com)`	`(mail=amd@renovations.com)`
amd	`(mail=%@)`	`(mail=amd@*)`
amd@renovations.com	`(mail=*@%d)`	`(mail=*@renovations.com)`
amd@renovations.com	`(mail=%*)`	`(mail=amd@renovations.com)`
amd@renovations.com	`(uid=%l)`	`(uid=amd)`
blue	`(color=%*)`	`(color=blue)`