Security

Reply
Contributor I

Re: LDAP Search Filter and @SEARCH@

Clembo,

 

Thanks for testing it out. I've tried several things but can't replicate what you get. I still get the error. What version of CPPM are you using? I'm using 6.3.0.60730

 

Thanks,

Re: LDAP Search Filter and @SEARCH@

jobrafi,

 

First check the section2 options you have on the search.

 

placeholder = (Type the email of your sponsor)
maximumSelectionSize = 2
minimumInputLength = 10
_advancedRender = 1
ajax.dataType = sajax
ajax.url = NwaLdapSponsorUserSearchAjax
ajax.args.server = Copy of CPLab AD
ajax.quietMillis = 500

 

 

 

This might not what you are looking for but I wanted to add this also to the thread. 

 

In the sponsor look up you can make a couple tweeks.

 

The as-you-type piece is controlled by the Select 2 Options and things to look out for are the minimum length before searching starts.  The quietMillis controls the minimum time taken before initiating a new call as more characters are typed.  For obvious reasons you want this value greater than the time the call itself is taking.  If you have a giant directory you will need to tweak both of these.

 

asyoutype2.png

 

asyoutype1.png

 

asutype.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I

Re: LDAP Search Filter and @SEARCH@

Thanks Troy,

 

I had already had this in the Select2 Option. As you mentioned I do have a large LDAP structure. I've tweaked the quietMillis and the MinimumInputLenghth and I'm still getting the Error.

 

placeholder = (Type the email of your sponsor)
maximumSelectionSize = 2
minimumInputLength = 2
_advancedRender = 1
ajax.dataType = sajax
ajax.url = NwaLdapSponsorUserSearchAjax
ajax.args.server = adserverlookup
ajax.quietMillis = 500

 

I'm wondering if this has something to do with the LDAP lookup. When I do a test Lookup against LDAP with a valid account I get an array with all the details. However when I perform the lookup using a nonvalid account I get the following array. I assume the Lookup happened but nothing returned. I wonder if the Error I'm seeing in the UI is triggered from this array result.

 

 

array (
  'error' => 1,
  'errors' => 
  array (
    20 => 
    array (
      'error' => 1,
      'message' => 'Lookup failed',
    ),
  ),
)

Re: LDAP Search Filter and @SEARCH@

Sounds like your filters might be off. Are you using a custom filter or the default?

 

filter.png

 

My filter is a little different since I was doing some testing but it should give you an Idea.

 

Here is a good page to help you with syntax.

 

http://msdn.microsoft.com/en-us/library/aa746475.aspx

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I

Re: LDAP Search Filter and @SEARCH@

I'm using the custom LDAP filter. WIth the filter I'm trying to force the user to input a valid email without leaking information about other possible matches. Thus the match must exactly be the email in the mail attribute. The filter works, but the downside is the error that is returned until the email is fully entered and matched.

 

I might be going about this all wrong to meet my requirement and I'm open to other possible configs. I see the Select2 Hook may be one direction, by checking the input as a valid email and then perform the ajax call in the Select2. However I'm not familiar with select2 and how that email validation should be written.

 

(&
  (objectClass=user)
  (objectCategory=person)
  (|
    # Match users in any of these groups
(memberOf=CN=Group1,DC=company,DC=com)
  )
  (|
    # Match users by any of these criteria
     (mail=@SEARCH@)
  )
)

Re: LDAP Search Filter and @SEARCH@

***First off I would just use the default settings and test your LDAP lookup and make sure that is all working first***

 

Ok so I did some testing here is a setup that I was able to put together.

 

screenshot_13 Feb. 12 21.56.gif

 

screenshot_09 Feb. 12 21.30.gif

 

For the server setting I did just a custom filter.

 

1. Custom Filter expression (code below)

2. I changed the search result to only return 1 result.

3. Bottom half default

4. In the display attributes I commented out the sAMAccountName.

 

screenshot_08 Feb. 12 21.28.gif

 

(&
  (objectClass=user)
  (objectCategory=person)
  (|
    # Match users by any of these criteria
     (userPrincipalName=@SEARCH@)
  )
)

 

 

 

In the Self-Reg page I changed the sponsor lookup field.

 

1. Modified the AD setting

2. One option I would recommend is to change the minimumInputLength = 22

         ( I would make it min the length of the domain)

       

For example: my domain in my lab is @lab.clearpassdemo.com = 22

 

That way the search wont start until I get most of the way through typing the email address.

 

screenshot_12 Feb. 12 21.47.gif

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I

Re: LDAP Search Filter and @SEARCH@

Troy,

 

I greatly appreciate your patience and persistance with this issue. The config you put together below is the actual config that I have in place (minimum character search equals domain length/return only exact match of mail/return 1 matching result). This works flawlessly with the one exception which I'm trying to correct. That is the error of Cannot Search for Users rather than the No User found when a email entry isn't found or a user pauses after the minimum character limit has been reached and the user hasn't fully populated the correct email.

 

I used the default LDAP filter and I get the same error.

 

 

Contributor I

Re: LDAP Search Filter and @SEARCH@

Not sure if this helps, but when doing a firebug on the page. After the POST occurs for the non-valid user, this response is returned.

 

 +:var res = { "error": parseInt(1), "message": 'Cannot search for users.', "config_error": parseInt(1) }; res;

Re: LDAP Search Filter and @SEARCH@

That is why I suggested to test without the custom filter first. From the errors I saw you were running into it sounded like the standard search was not correct. Once theat is working then you can add the custom filter.

 

In my last suggestion I removed the mail=@search@ and changed it to userPrincipalName=@search@ once  you get the basic setup working.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I

Re: LDAP Search Filter and @SEARCH@

Troy,

 

I think I've narrowed it down. I believe the issue is that my LDAP query is against a global catalog server. And the response it sends back must be different than querying regular LDAP. I'm still working out the exact details, but long story short. When I point to the LDAP server over 389 I get the No Matches Found. When I point to the Global Catalog I get error of Cannot Search for Users.

 

Thanks so much for your help!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: