Once you have specified the data source for your generic table (see
Table form field - Generic
table ) and the LDAP binding method, (see LDAP
search - LDAP binding) you will need to specify which objects you
would like to retrieve by defining a search filter. A search filter can
be defined as a clause specifying the conditions that must be met for
records to be included in the resulting record set.
LDAP filter - Syntax
As mentioned above, you define all conditions that must be met for an
object in the search filter. A condition takes the form of of a conditional
statement, such as "(cn=TestUser)". Each condition must be enclosed
in parenthesis. In general, a condition includes an attribute and a value,
separated by an operator.
Conditions can be combined using the following operators (note that
the operators "<" and ">" are not supported).
Operator
Description
=
Equal to
~=
Approximately equal to
<=
Less than or equal to
>=
Greater than or equal to
&
AND
|
OR
!
NOT
Conditions can also be nested using parenthesis. Furthermore, you can
use the "*" wildcard character in the search filter.
The LDAP filter in UMRA
For the LDAP filter in UMRA you can either make a choice from a list
of predefined search filters under Example
LDAP search filters or enter your own search filter directly in
the LDAP Search filter window.
To select all users for example, simply select the All
users option and click the Insert
button. The actual LDAP search syntax for this filter, "(objectClass=user)"
will now appear in the LDAP search filter
window.
Some examples of filtering actions
To
Use the following
LDAP filter
Return all user objects except those whose
surname attribute equals "Macintosh"
(&(objectClass=user)(!(sn=Macintosh)))
Return all user objects with a surname that
starts with sm
(sn=sm*)
Return all contacts with a surname equal to
Smith or Johnson
The attribute userAccountControl is a bitmask
attribute. See the section Bitmask attributes
below for a detailed explanation.
Return all users with
"Allow access" checked on the "Dial-in" tab of the
user properties dialog of Active Directory Users & Computers. These
are all users allowed to dial in. Note that "TRUE" is case sensitive
(for this query to work, you need to bind to
the Active Directory root)
The account status mentioned in the table above (locked out, enabled,
disabled, etc.) is part of one attribute called userAccountControl
attribute. This is called a bitmask attribute: a single attribute
actually contains numerous property values. In the same way, the userAccountControl attribute holds the
following property values:
• The user account is disabled.
• The account is currently locked out.
• No password is required.
• The user cannot change the password.
• The user password has expired.
In UMRA there are two different ways of evaluating bitmask attributes.
You could either make use of the LDAP matching rule or specify a date
conversion routine. The LDAP matching rule method is described below.
The date conversion routine method for dealing with bitmask attributes
in described in LDAP
attributes - Data conversion routine (routine 1)
Using the LDAP matching rule
1. Create a generic table with an LDAP query as the table type
2. Select the option Active Directory
Root as the LDAP binding method
3. Select the LDAP filter tab
and enter the following LDAP filter string: "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2))"
The first part of the filter ""(&(objectCategory=User))"
specifies that we are only interested in users. The second part of this
strings requires further explanation. As we mentioned above, if the bit2
value for the userAccountControl attribute is set, the user account is disabled.. This can be queried using the LDAP Matching
Rule.
The LDAP Matching Rule has the following syntax:
attributename:ruleOID:=value
where attributename
is the LDAPDisplayName of the attribute, ruleOID
is the object ID (OID) for the matching rule control, and value
is the decimal value you want to use for comparison.
The value of ruleOID can be one of the following:
1.2.840.113556.1.4.803 - This is the LDAP_MATCHING_RULE_BIT_AND rule.
The matching rule is true only if all bits from the property match the
value. This rule is like the bitwise AND operator.
1.2.840.113556.1.4.804 - This is the LDAP_MATCHING_RULE_BIT_OR rule.
The matching rule is true if any bits from the property match the value.
This rule is like the bitwise OR operator.
One example is when you want to query Active Directory for user class
objects that are disabled. The attribute that holds this information is
the userAccountControl attribute. This attribute is composed of a combination
of different flags. The flag for setting the object that you want to disable
is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise
comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED
bit set would resemble this:
"1.2.840.113556.1.4.803:=2"
4. Select the Attributes tab
and select the "Users - names" and "userAccountControl"
attributes.
5. Select the Run test tab and
click the Test... button to check
if you have obtained the required results.
