Security

Reply
Aruba
Posts: 1,635
Registered: ‎04-13-2009

LDAP Search Filter and @SEARCH@

I am attempting to customize a Server that is to be used for sponsored guest lookups.   The server is defined and working just fine to AD.  We are now looking to write a custom LDAP filter to only allow searching within 1 of 3 OUs.     I've tried typical LDAP search filters, but when trying to save, we get a message that says:

 

User searchy incorrectly configured (Filter must contain the keyword @SEARCH@).

 

I am lost with the @SEARCH@ function/variable and can't seem to find any documentation on it.  Any help is appreciated.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: LDAP Search Filter and @SEARCH@

[ Edited ]

Where are you trying to put the filter?

 

You should define the OU filter in the Server URL: ldap://10.80.2.200/ou=IT Services,ou=Departments,DC=lab,DC=abc,DC=com if you want to just search that OU

 

ldapfilter.png

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: LDAP Search Filter and @SEARCH@

I am trying to search within 3 different OUs, all at the root of the tree.    I am doing it under the custom LDAP filter under User Search (below).  Alternatively, is it possible to have the sponsor lookup form use more than one server definiition?    I can create multiple instances pointing at each OU, but when doing the lookup on the sponsor page, it only looks at the first one.

 

cpg-search.jpg

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: LDAP Search Filter and @SEARCH@

That is for field filters so you can trigger on user attributes. username. Etc I don't believe you can use that for group membership.

 

sAMAccountName = id
displayName = text
# title = desc
userPrincipalName = desc

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 113
Registered: ‎11-21-2011

Re: LDAP Search Filter and @SEARCH@

You might be able to construct a query something like this, to match users in one of three different OUs.

 

(&

  (objectClass=user)

  (objectCategory=person)

  (|

    # Match one of these OUs

    (ou=MY_FIRST_OU)

    (ou=MY_SECOND_OU)

    (ou=MY_THIRD_OU)

  )

  (|

    # Match on either user ID or display name - anywhere in the string

    (sAMAccountName=*@SEARCH@*)

    (displayName=*@SEARCH@*)

  )

)

 

I'm not sure if this will work as I haven't tried it, but it might give you a path forward...

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: LDAP Search Filter and @SEARCH@

Thanks Dave; you definitely put me on the right path.   Upon testing, I discovered that the lookup does not reveal the OU structure, nor does Active Directory support search filters based on the DN (which has the OU in it).....so I have resorted to group memberships. 

 

For anyone interested, the custom LDAP search expression is as follows.  This will only show the guest members of these three groups when they put in their sponsors name on the registration page.   The @SEARCH@ function which I initially questioned was answred by Dave (Thank you!) and I added some options so that the search could be on the account name, display name, first name, or last name.

 

(&(objectClass=user)(objectCategory=person)
(|(memberOf=CN=Group1,OU=ou-name,DC=domain,DC=com)(memberOf=CN=Group2,OU=ou-name,DC=domain,DC=com)(memberOf=CN=Group3,OU=ou-name,DC=domain,DC=com))(|(sAMAccountName=*@SEARCH@*)(displayName=*@SEARCH@*)(cn=*@SEARCH@*)(sn=*@SEARCH@*)(givenName=*@SEARCH@*)))

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 113
Registered: ‎11-21-2011

Re: LDAP Search Filter and @SEARCH@

Great to hear you were able to get it working.

 

Also note, the "Filter Expression" field you enter that into supports multiple line entry AND comment lines, as shown in my post above.

 

The whitespace and comments are stripped out when the filter is actually used, so this doesn't impact on the actual LDAP query performed.

 

This can help when you have a complicated expression and you want to make the intent behind it clearer.

 

For clarity, your expression could be written as:

 

(&
  (objectClass=user)

  (objectCategory=person)
  (|

    # Match users in any of these groups

    (memberOf=CN=Group1,OU=ou-name,DC=domain,DC=com)

    (memberOf=CN=Group2,OU=ou-name,DC=domain,DC=com)
    (memberOf=CN=Group3,OU=ou-name,DC=domain,DC=com)

  )
  (|

    # Match users by any of these criteria

    (sAMAccountName=*@SEARCH@*)
    (displayName=*@SEARCH@*)

    (cn=*@SEARCH@*)

    (sn=*@SEARCH@*)

    (givenName=*@SEARCH@*)

  )

)

 

Frequent Contributor I
Posts: 87
Registered: ‎03-18-2013

Re: LDAP Search Filter and @SEARCH@

awesome.. exactly what i'm looking for.. thanks a lot

Ricky E. Lee
CWNA | ACMP | ACCP
Contributor I
Posts: 25
Registered: ‎11-25-2013

Re: LDAP Search Filter and @SEARCH@

This was extremely helpful. However do you have any tweaks that I could do to not autosearch as the user is typing? I effectively want the user to enter the full email and then perform the lookup to validate the email in LDAP.

 

Currently I'm using this custom LDAP filter below. This forces the user to enter the full email. However as the user it typing the ajax call is verifying and if I pause in the middle of the email the error 'Cannot Search for Users' is returned. At the very least if I could change the Error message to something like 'email address not found' that would be a Huge win.

 

(&
  (objectClass=user)
  (objectCategory=person)
  (|
    # Match users in any of these groups
    (memberOf=CN=Group1,DC=company,DC=com)
  )
  (|
    # Match users by any of these criteria
     (mail=@SEARCH@)
  )

)

 

Thanks,

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: LDAP Search Filter and @SEARCH@

I just tried the same filter that you put in and i see the following.

 

When stopping on an account that does not exist, I don't see any error, just this:

cpg-lookup-fail.png

 

When completing a valid email I get this:

cpg-lookup-good.png

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: