Defining a Secondary Source Using an LDAP Query

This procedure describes defining a secondary source for an LDAP container whose primary source locates resources using an LDAP query.

Prerequisites

Create an LDAP container whose primary source locates resources using an LDAP query -- see Defining the Primary Source Using an LDAP Query.

You can optionally define one or more secondary sources for an LDAP container. For more information, see Primary and Secondary Sources.

Procedure

  1. Open the Organization Browser (Access to the Organization Browser) and select LDAP Containers.
  2. From the Container Name list, select the LDAP container to which you want to add a secondary LDAP source, then click the Edit link in the lower right part of the dialog.
  3. On the Edit LDAP Container dialog, click the New Query Source button.
    Note: After an LDAP container is created, and resources have been created in that container, you cannot delete or change the secondary LDAP sources defined for that container, nor add additional secondary LDAP sources to the container. (The only exception is that you can change the value of the Resource Name Attribute for an existing LDAP source.)
  4. From the Alias field drop down list, select the secondary LDAP source you would like to add to the LDAP container.

    The names in the Alias drop-down list are user-readable names that an administrator has assigned to each of the LDAP Servers available in the enterprise.

    Note that when choosing a secondary source, the alias that was chosen for the primary source is omitted from the Alias field drop-down list.

  5. Optional: In the Base DN field, enter the branch (e.g., an organization unit) in which you would like to limit the search in the LDAP directory structure.

    This increases the efficiency of the search if the LDAP contains a large number of branches.

    The search base must provide the complete path to the desired branch in the LDAP directory structure. For example, if you want to limit the search to the “London” organization unit in the following LDAP...

    ... you would enter the following in the Base DN field:

    ou=London, ou=AllEmployees

  6. In the Query field, enter a filter string that will be used to determine which of the resources to return from the LDAP source.

    The filter string is used to determine which of the resources to return from the LDAP source. This allows you to limit the resources returned. For example, you may only be interested in considering resources from a specific department or region.

    Query strings must be enclosed in parentheses. This allows you to specify multiple strings, each one enclosed in its own parentheses.

    For information about special characters that can be used in LDAP query strings, plus some examples of query strings, see LDAP Query String Characters and Examples.

    Note: The Resource Name Attribute(s) field has no meaning when you are defining a secondary LDAP source.
  7. Using the Search Scope options, specify the depth to perform the search in the LDAP directory structure, as follows:
    • ONE LEVEL - Only the elements directly within the Base-DN level are searched.
    • SUBTREE - Elements directly within, and below, the Base-DN level are searched.
  8. Click one of the Show sample of LDAP Entities buttons.
    You can choose to display 10, 50, or 100 sample entities by clicking the appropriate button. This allows you to see the attributes that are in your chosen LDAP source. (The number of sample entities returned has no bearing on the number of resources that will be in the LDAP container; it only determines how many are shown in the sample data.
    Notice that when you clicked one of the Show sample of LDAP Entities buttons, two Mapping fields (Primary Attribute and (Secondary) Ldap Attribute) appear under the Show sample of LDAP Entities buttons. These are used to choose related LDAP attributes, as described in the following steps.
  9. At this point, you need to make a determination which attributes in the secondary LDAP source will be compared to attributes in the primary LDAP source.

    The goal of comparing primary / secondary attributes is to ensure that data from the secondary LDAP source is only merged together with the appropriate candidate resource from the primary LDAP source.

    Where a match cannot be found, or where it is not one-to-one, the candidate resource will not have a complete, accurate set of information, and it will be either omitted (where no match is found) or marked as "multiple entries" (where the match isn't one-to-one).

    For example, if there are several resources with the same last name, you need to check more than just the last name; maybe checking first name too will be enough, or maybe you need to check more attributes (because there may be multiple resources in the secondary LDAP source with the same first and last name — it would not know which to include). Maybe there are other types of data, such as an employee ID that would work better and would avoid inconsistencies in data entry (typos, nicknames, abbreviations, etc.).

    You may need to also go back and view the data in the attributes in the primary LDAP source.

    For this example, if you know that the “ou” attribute in the primary LDAP source contains the complete name of the resources (Clint Hill, John Eustace, etc.), and the “displayname” attribute in the secondary LDAP source contains the same information, those attributes would be prime candidates to link.

    Note: If you choose attributes that contain names, always be aware that there may be differences in the way those names were entered in the different LDAP sources, for example, Bob vs. Robert, Mike vs. Michael, or simple misspellings. Things like employee numbers tend to make good attributes to link.

    For additional information, see Primary and Secondary Sources.

  10. Using the Mapping fields that appeared when you clicked one of the Show sample of LDAP Entities buttons, choose the related LDAP attributes, as follows:
    1. In the Primary Attribute field, choose the primary LDAP source attribute (for example, "ou") that contains data you want to compare to the data in the attribute you will choose in the next sub-step.
    2. In the (Secondary) Ldap Attribute field, choose the secondary LDAP source attribute (for example, "displayname") that contains data you want to compare to the data in the attribute you chose in the previous sub-step.
      Note: After an LDAP container is created, and resources have been created in that container, you cannot modify the "related primary/secondary attributes" that had been defined for the container.
  11. Optional: Click the icon above the Primary Attribute field to add additional related primary/secondary attributes.

    This would be done if there are additional attributes you want to match to ensure it's the same resource whose attribute data is being obtained from the secondary source.

  12. When you are finished linking attributes, click Save.
    The secondary LDAP source is now shown in the list of sources for the container. For example:

    The Relational Key(s) column shows that the linked attributes are "ou" and "displayname". The Relational Key(s) column is blank for the primary source.

  13. If you are finished defining LDAP sources for the container, click the Save button.