Query Examples
This section shows example Directory LDAP server query examples. The Active Directory LDAP server configurations are similar except where the object class values, search contexts, and user or group attribute values can be different where:
<PREFIX> = { activedirectory }
Search for Specific Groups with a Group Filter
All group filters can use the search filter syntax described above in the above “Search Filter Syntax” area.
Example
Find all groups that have a prefix “cs_” in their name where “Y” is a group object class for the domain type, and “Z” is a group name attribute:
Example solution:
<PREFIX>.all.groups.filter=(&(objectclass=Y)(Z=cs_*))
Note: This method can also be used for finding specific users.
Specify Multiple Locations to Find Users or Groups
All search context attributes can support looking for LDAP objects in multiple search contexts. Use the “|”character to separate multiple search contexts.
<PREFIX>.*.search.context=CONTEXT_1|CONTEXT_2|...|CONTEXT_N
Example
<PREFIX>.all.groups.search.context=cn=users|cn=users2
This example is for groups under cn=users and cn=users2 search contexts.
Disable Case Sensitivity for LDAP Authentication
By default the TDV Server is case sensitive when used with either a directory domain, but that can be changed with ldap.properties.
Example
Enable case insensitive user names for LDAP authentication. How can the default case sensitive mode used for LDAP authentication be disabled?
Example solution:
<PREFIX>.user.username.comparison.is.case.sensitive=false
When the LDAP user name comparison is not case sensitive, the user “cn=sam,ou=users,dc=domain,dc=com” can log in to a TDV LDAP domain with user name sam or SAM. All variations of the user name used to log in to TDV tools map to the actual user name stored in the LDAP server.
Note: If you disable case sensitive mode and have multiple users with the same name (but with variations in capitalization) login will be disabled for that user name. You can differentiate users by search context. For instance, in Active Directory, the samaccountname attribute for a user object is globally unique in the LDAP server, but cn (common name) is not.
Get All Users
To start a search from the root node and retrieve all users, use a blank (null) value in the search context.
<PREFIX>.all.users.search.context=
To find groups that match the objectclass filter, use the following:
<PREFIX>.all.users.filter=(&(objectclass=person))
To retrieve user names from the user object name attribute:
<PREFIX>.all.users.username.attribute=uid
To perform a search without a timeout:
<PREFIX>.all.users.search.timeout=0
Get All Users Under Container ou=people
This search context finds only groups under container ou=people:
<PREFIX>.all.groups.search.context=ou=people
This search finds only groups that match the objectclass filter:
<PREFIX>.all.groups.filter=(&(objectclass=person))
This search retrieves group names from this group object name attribute:
<PREFIX>.all.groups.groupname.attribute=cn
To specify a search that does not have a timeout (infinite search timeout):
<PREFIX>.all.groups.search.timeout=0
Get All Groups
Using a null value (blank) starts searching from the root node and retrieves all groups:
<PREFIX>.all.groups.search.context=
To find only those groups that match the objectclass filter:
<PREFIX>.all.groups.filter=(&(objectclass=groupofuniquenames))
To retrieve group names within this group object name attribute:
<PREFIX>.all.groups.groupname.attribute=cn
To specify a search that does not have a timeout (infinite search timeout):
<PREFIX>.all.groups.search.timeout=0
Get All Groups Under Container ou=groups
This search context finds only groups under the container ou=groups:
<PREFIX>.all.groups.search.context=ou=groups
To find only groups that match the objectclass filter:
<PREFIX>.all.groups.filter=(&(objectclass=groupofuniquenames))
To retrieve group names from this group object name attribute:
<PREFIX>.all.groups.groupname.attribute=cn
To specify a search that does not have a timeout (infinite search timeout):
<PREFIX>.all.groups.search.timeout=0
Directory User Authentication
TDV LDAP user authentication dependent on directory servers requires configuration prior to successful user authentication through a TDV interface.
• The LDAP server must be configured for use.
• The LDAP domain must be configured for use in the Manager console.
• Specific Directory groups within the specified domain must be authorized to use TDV defined resources.
Note: All members of TDV authorized LDAP groups have the basic set of privileges granted to the all group. Other resource privileges and TDV rights must be assigned explicitly to the LDAP group or to the individual user.
• Only users who are members of the specified domain and authorized groups can authenticate properly using TDV resources.
All LDAP users trying to authenticate against an LDAP server need to use the same username attribute value in the both settings below:
<PREFIX>.user.filter=(&(uid=USERNAME)(objectclass=person))
<PREFIX>.user.username.attribute=uid