Previous actions:
2. Specifying the LDAP binding method
Once you have specified the data source for your generic table (see Table form field - Generic table ) and the LDAP binding method, (see LDAP search - LDAP binding) you will need to specify which objects you would like to retrieve by defining a search filter. A search filter can be defined as a clause specifying the conditions that must be met for records to be included in the resulting record set.
LDAP filter - Syntax
As mentioned above, you define all conditions that must be met for an object in the search filter. A condition takes the form of of a conditional statement, such as "(cn=TestUser)". Each condition must be enclosed in parenthesis. In general, a condition includes an attribute and a value, separated by an operator.
Conditions can be combined using the following operators (note that the operators "<" and ">" are not supported).
|
Operator |
Description |
|
= |
Equal to |
|
~= |
Approximately equal to |
|
<= |
Less than or equal to |
|
>= |
Greater than or equal to |
|
& |
AND |
|
| |
OR |
|
! |
NOT |
Conditions can also be nested using parenthesis. Furthermore, you can use the "*" wildcard character in the search filter.
For the LDAP filter in UMRA you can either make a choice from a list of predefined search filters under Example LDAP search filters or enter your own search filter directly in the LDAP Search filter window.
To select all users for example, simply select the All users option and click the Insert button. The actual LDAP search syntax for this filter, "(objectClass=user)" will now appear in the LDAP search filter window.
|
To |
Use the following LDAP filter |
|
Return all user objects except those whose surname attribute equals "Macintosh" |
(&(objectClass=user)(!(sn=Macintosh))) |
|
Return all user objects with a surname that starts with sm |
(sn=sm*) |
|
Return all contacts with a surname equal to Smith or Johnson |
(&(objectClass=contact)(|(sn=Bridges) (sn=Macintosh))) |
|
Return all user objects with cn (Common Name) beginning with the string "Joe" |
(&(objectCategory=person)(objectClass=user)(cn=Joe*)) |
|
Return all computer objects with no entry for description |
(&(objectCategory=computer)(!description=*)) |
|
Return all user and contact objects |
(objectCategory=person) |
|
Return all group objects with an entry for description |
(&(objCategory=group)(description=*)) |
|
Return all groups with cn starting with "Helpdesk" or "Admin" |
(&(objectCategory=group)(|(cn=Test*)(cn=Admin*))) |
|
Return all users with "Password Never Expires" set |
(&(objectCategory=person)(objectClass=user) (userAccountControl:1.2.840.113556.1.4.803:=65536)) The attribute userAccountControl is a bitmask attribute. See the section Bitmask attributes below for a detailed explanation. |
|
Return all users with disabled accounts |
(&(objectCategory=person)(objectClass=user) (userAccountControl:1.2.840.113556.1.4.803:=2)) The attribute userAccountControl is a bitmask attribute. See the section Bitmask attributes below for a detailed explanation. |
|
Return all users with "Allow access" checked on the "Dial-in" tab of the user properties dialog of Active Directory Users & Computers. These are all users allowed to dial in. Note that "TRUE" is case sensitive (for this query to work, you need to bind to the Active Directory root) |
(&(objectCategory=person)(objectClass=user)&(msNPAllowDialin=TRUE))
|
|
Return all user objects created after a specified date (01/01/2005) |
(&(objectCategory=person)(objectClass=user) (whenCreated>=20050101000000.0Z)) |
|
Return all users that must change their password the next time they logon (for this query to work, you need to bind to the Active Directory root) |
(&(objectCategory=person)(objectClass=user)(pwdLastSet=0)) |
The account status mentioned in the table above (locked out, enabled, disabled, etc.) is part of one attribute called userAccountControl attribute. This is called a bitmask attribute: a single attribute actually contains numerous property values. In the same way, the userAccountControl attribute holds the following property values:
• The user account is disabled.
• The account is currently locked out.
• No password is required.
• The user cannot change the password.
• The user password has expired.
In UMRA there are two different ways of evaluating bitmask attributes. You could either make use of the LDAP matching rule or specify a date conversion routine. The LDAP matching rule method is described below. The date conversion routine method for dealing with bitmask attributes in described in LDAP attributes - Data conversion routine (routine 1)
Using the LDAP matching rule
1. Create a generic table with an LDAP query as the table type
2. Select the option Active Directory Root as the LDAP binding method
3. Select the LDAP filter tab and enter the following LDAP filter string: "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2))"
The first part of the filter ""(&(objectCategory=User))" specifies that we are only interested in users. The second part of this strings requires further explanation. As we mentioned above, if the bit2 value for the userAccountControl attribute is set, the user account is disabled.. This can be queried using the LDAP Matching Rule.
The LDAP Matching Rule has the following syntax:
attributename:ruleOID:=value
where attributename is the LDAPDisplayName of the attribute, ruleOID is the object ID (OID) for the matching rule control, and value is the decimal value you want to use for comparison.
The value of ruleOID can be one of the following:
1.2.840.113556.1.4.803 - This is the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule is like the bitwise AND operator.
1.2.840.113556.1.4.804 - This is the LDAP_MATCHING_RULE_BIT_OR rule. The matching rule is true if any bits from the property match the value. This rule is like the bitwise OR operator.
One example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this:
"1.2.840.113556.1.4.803:=2"
4. Select the Attributes tab and select the "Users - names" and "userAccountControl" attributes.
5. Select the Run test tab and click the Test... button to check if you have obtained the required results.
Next action:
See also: