Security

I am attempting to customize a Server that is to be used for sponsored guest lookups.   The server is defined and working just fine to AD.  We are now looking to write a custom LDAP filter to only allow searching within 1 of 3 OUs.     I've tried typical LDAP search filters, but when trying to save, we get a message that says:

User searchy incorrectly configured (Filter must contain the keyword @SEARCH@).

I am lost with the @SEARCH@ function/variable and can't seem to find any documentation on it.  Any help is appreciated.

Where are you trying to put the filter?

You should define the OU filter in the * Server URL: ldap://10.80.2.200/ou=IT Services,ou=Departments,DC=lab,DC=abc,DC=com if you want to just search that OU

I am trying to search within 3 different OUs, all at the root of the tree.    I am doing it under the custom LDAP filter under User Search (below).  Alternatively, is it possible to have the sponsor lookup form use more than one server definiition?    I can create multiple instances pointing at each OU, but when doing the lookup on the sponsor page, it only looks at the first one.

That is for field filters so you can trigger on user attributes. username. Etc I don't believe you can use that for group membership.

sAMAccountName = id
displayName = text
# title = desc
userPrincipalName = desc

You might be able to construct a query something like this, to match users in one of three different OUs.

(&

  (objectClass=user)

  (objectCategory=person)

  (|

    # Match one of these OUs

    (ou=MY_FIRST_OU)

    (ou=MY_SECOND_OU)

    (ou=MY_THIRD_OU)

  )

  (|

    # Match on either user ID or display name - anywhere in the string

    (sAMAccountName=*@SEARCH@*)

    (displayName=*@SEARCH@*)

  )

)

I'm not sure if this will work as I haven't tried it, but it might give you a path forward...

Thanks Dave; you definitely put me on the right path.   Upon testing, I discovered that the lookup does not reveal the OU structure, nor does Active Directory support search filters based on the DN (which has the OU in it).....so I have resorted to group memberships. 

For anyone interested, the custom LDAP search expression is as follows.  This will only show the guest members of these three groups when they put in their sponsors name on the registration page.   The @SEARCH@ function which I initially questioned was answred by Dave (Thank you!) and I added some options so that the search could be on the account name, display name, first name, or last name.

(&(objectClass=user)(objectCategory=person)
(|(memberOf=CN=Group1,OU=ou-name,DC=domain,DC=com)(memberOf=CN=Group2,OU=ou-name,DC=domain,DC=com)(memberOf=CN=Group3,OU=ou-name,DC=domain,DC=com))(|(sAMAccountName=*@SEARCH@*)(displayName=*@SEARCH@*)(cn=*@SEARCH@*)(sn=*@SEARCH@*)(givenName=*@SEARCH@*)))

Great to hear you were able to get it working.

Also note, the "Filter Expression" field you enter that into supports multiple line entry AND comment lines, as shown in my post above.

The whitespace and comments are stripped out when the filter is actually used, so this doesn't impact on the actual LDAP query performed.

This can help when you have a complicated expression and you want to make the intent behind it clearer.

For clarity, your expression could be written as:

(&
  (objectClass=user)

  (objectCategory=person)
  (|

    # Match users in any of these groups

    (memberOf=CN=Group1,OU=ou-name,DC=domain,DC=com)

    (memberOf=CN=Group2,OU=ou-name,DC=domain,DC=com)
    (memberOf=CN=Group3,OU=ou-name,DC=domain,DC=com)

  )
  (|

    # Match users by any of these criteria

    (sAMAccountName=*@SEARCH@*)
    (displayName=*@SEARCH@*)

    (cn=*@SEARCH@*)

    (sn=*@SEARCH@*)

    (givenName=*@SEARCH@*)

  )

)

This was extremely helpful. However do you have any tweaks that I could do to not autosearch as the user is typing? I effectively want the user to enter the full email and then perform the lookup to validate the email in LDAP.

Currently I'm using this custom LDAP filter below. This forces the user to enter the full email. However as the user it typing the ajax call is verifying and if I pause in the middle of the email the error 'Cannot Search for Users' is returned. At the very least if I could change the Error message to something like 'email address not found' that would be a Huge win.

(&
  (objectClass=user)
  (objectCategory=person)
  (|
    # Match users in any of these groups
    (memberOf=CN=Group1,DC=company,DC=com)
  )
  (|
    # Match users by any of these criteria
     (mail=@SEARCH@)
  )

)

Thanks,

I just tried the same filter that you put in and i see the following.

When stopping on an account that does not exist, I don't see any error, just this:

When completing a valid email I get this:

Clembo,

Thanks for testing it out. I've tried several things but can't replicate what you get. I still get the error. What version of CPPM are you using? I'm using 6.3.0.60730

Thanks,

Hi Guys,

I have a some issue with this function.

when perform a lookup, i don't receive a string value... and i don't receive the sponsor's email but the name.
(this is the biggest problem)

the idea is that if a guest write sponsors's name for example "Jhon" he receiving a list of possible choices like:
jhon.smith@company.com
jhon.brown@company.com
jhon.anderson@company.com.

and he can select one.
the lookup have to be done with the criteria is member of "sponsor gruop"?

can you help me?

thanks in advance

Best regards

Andrea,

In CPPM Guest, go to Administration> Plugin Manager> LDAP Sponsor Lookup.  Click on the Configuration button.  What settings do you have there?

Hi Andrea,

check your LDAP config in the Administrations | Operators login | servers.

check the server URL and put something like this,

ldap://dc01.*****.co.id/dc=******,dc=co,dc=id (dc01 is your primary dc server and change the stars to your domain name). dont put the sub-group here, it wont work.

my implementation was pretty much like yours, you can try my rules:

(&
(objectClass=user)(objectCategory=person)
(|

(memberOf=CN=Sponsor Aruba,OU=Groups,DC=*****,DC=co,DC=id) #change stars to your domain name
)
(|
(cn=*@SEARCH@*)
)
)

good luck,

Ricky E. Lie

Andrea,

I think you will have a combination of things. There will be the value that you search against, and then there is the value you are displaying to the user. These are independently configured, however they can be the same criteria. First is your search.
You'll want to do a custom LDAP filter under User Serach.  I use the following. However you'll be interested in the @SEARCH@. This is the string you will search against. Use the attribute that you want to do the lookups against. In this case I'm using email addresses. I'm also forcing the user to enter an exact email address with the @SEARCH@. If you want to return results as the user types in the criteria, then use the *@SEARCH@*

(&
  (objectClass=user)
  (objectCategory=person)
  (|
    # Match users in any of these groups
(memberOf=CN=group,DC=xx,DC=company,DC=com)
  )
  (|
    # Match users by any of these criteria
     #(mail=@SEARCH@)
      (proxyAddresses=smtp:@SEARCH@)
  )
)

Now you have the seperate issue of display. This is configured under Display Attributes

Here enter the attributes you want to display as your match is made. For example.

displayName= text
company=desc

So in your case, since you are searching on name you may want to use something like displayName=*@SEARCH@* in the search section.

In the display section since you only want to return the emails, then use something like

mail=text

Hi,
thank you, i hope that in the next days i will be able to try this solution.

---

@jobrafi wrote:

Andrea,

 

I think you will have a combination of things. There will be the value that you search against, and then there is the value you are displaying to the user. These are independently configured, however they can be the same criteria. First is your search.
@You'll want to do a custom LDAP filter under User Serach.  I use the following. However you'll be interested in the @SEARCH@. This is the string you will search against. Use the attribute that you want to do the lookups against. In this case I'm using email addresses. I'm also forcing the user to enter an exact email address with the @SEARCH@. If you want to return results as the user types in the criteria, then use the *@SEARCH@*

 

(&
  (objectClass=user)
  (objectCategory=person)
  (|
    # Match users in any of these groups
(memberOf=CN=group,DC=xx,DC=company,DC=com)
  )
  (|
    # Match users by any of these criteria
     #(mail=@SEARCH@)
      (proxyAddresses=smtp:@SEARCH@)
  )
)

 

Now you have the seperate issue of display. This is configured under Display Attributes

 

Here enter the attributes you want to display as your match is made. For example.

displayName= text
company=desc

 

 

So in your case, since you are searching on name you may want to use something like displayName=*@SEARCH@* in the search section.

 

In the display section since you only want to return the emails, then use something like

mail=text

---

Hi Guys,

i have use this filter:

(&(mail=*@SEARCH@*)(!(samaccountname=account))(!(mail=*word*))(|(memberof=CN=,OU=Groups,OU=,OU=,DC=,DC=)(memberof=)(memberof=)(memberof=)))

so i can find only the user that is in one of these group "memberof=" and that isn't this person "samaccountname=account" and that have an email that not contains this word "mail=*word*"

i hope this can help you.

Hi,

I we need to use the search_lookup but we don't like to 7-8 mails appears on the box.

How can we configure these?

As a blacklist of VIP.

Thanks

HI,

i think that you need to use this filter:

------------------------------------
(&
(givenname=@SEARCH@*)
(|
# Match users in any of these groups
(memberOf=CN=wireless,CN=Users,DC=CONSYS,DC=IT)
(!givenname=*User Name that not must be shown* )
(!givenname=*User Name that not must be shown* )
(!givenname=*User Name that not must be shown* )
.
.
(!givenname=*User Name that not must be shown* )

) )
------------------------------------

Example:
------------------------------------
(&
(givenname=@SEARCH@*)
(|
# Match users in any of these groups
(memberOf=CN=wireless,CN=Users,DC=CONSYS,DC=IT)
(!givenname=*Steve Rogers* )
(!givenname=*Peter Parker* )
(!givenname=*Tony Stark* )
) )
------------------------------------

Rembber that " * " is a wild card, so:
*name = End With
name* = Starts with
*name* = Contains
name = exact match

Regards

Andrea Acampa

jobrafi,

First check the section2 options you have on the search.

placeholder = (Type the email of your sponsor)
maximumSelectionSize = 2
minimumInputLength = 10
_advancedRender = 1
ajax.dataType = sajax
ajax.url = NwaLdapSponsorUserSearchAjax
ajax.args.server = Copy of CPLab AD
ajax.quietMillis = 500

This might not what you are looking for but I wanted to add this also to the thread. 

In the sponsor look up you can make a couple tweeks.

The as-you-type piece is controlled by the Select 2 Options and things to look out for are the minimum length before searching starts.  The quietMillis controls the minimum time taken before initiating a new call as more characters are typed.  For obvious reasons you want this value greater than the time the call itself is taking.  If you have a giant directory you will need to tweak both of these.

Thanks Troy,

I had already had this in the Select2 Option. As you mentioned I do have a large LDAP structure. I've tweaked the quietMillis and the MinimumInputLenghth and I'm still getting the Error.

placeholder = (Type the email of your sponsor)
maximumSelectionSize = 2
minimumInputLength = 2
_advancedRender = 1
ajax.dataType = sajax
ajax.url = NwaLdapSponsorUserSearchAjax
ajax.args.server = adserverlookup
ajax.quietMillis = 500

I'm wondering if this has something to do with the LDAP lookup. When I do a test Lookup against LDAP with a valid account I get an array with all the details. However when I perform the lookup using a nonvalid account I get the following array. I assume the Lookup happened but nothing returned. I wonder if the Error I'm seeing in the UI is triggered from this array result.

array (
  'error' => 1,
  'errors' => 
  array (
    20 => 
    array (
      'error' => 1,
      'message' => 'Lookup failed',
    ),
  ),
)

Sounds like your filters might be off. Are you using a custom filter or the default?

My filter is a little different since I was doing some testing but it should give you an Idea.

Here is a good page to help you with syntax.

http://msdn.microsoft.com/en-us/library/aa746475.aspx

I'm using the custom LDAP filter. WIth the filter I'm trying to force the user to input a valid email without leaking information about other possible matches. Thus the match must exactly be the email in the mail attribute. The filter works, but the downside is the error that is returned until the email is fully entered and matched.

I might be going about this all wrong to meet my requirement and I'm open to other possible configs. I see the Select2 Hook may be one direction, by checking the input as a valid email and then perform the ajax call in the Select2. However I'm not familiar with select2 and how that email validation should be written.

(&
  (objectClass=user)
  (objectCategory=person)
  (|
    # Match users in any of these groups
(memberOf=CN=Group1,DC=company,DC=com)
  )
  (|
    # Match users by any of these criteria
     (mail=@SEARCH@)
  )
)

***First off I would just use the default settings and test your LDAP lookup and make sure that is all working first***

Ok so I did some testing here is a setup that I was able to put together.

For the server setting I did just a custom filter.

1. Custom Filter expression (code below)

2. I changed the search result to only return 1 result.

3. Bottom half default

4. In the display attributes I commented out the sAMAccountName.

(&
  (objectClass=user)
  (objectCategory=person)
  (|
    # Match users by any of these criteria
     (userPrincipalName=@SEARCH@)
  )
)

In the Self-Reg page I changed the sponsor lookup field.

1. Modified the AD setting

2. One option I would recommend is to change the minimumInputLength = 22

         ( I would make it min the length of the domain)

For example: my domain in my lab is @lab.clearpassdemo.com = 22

That way the search wont start until I get most of the way through typing the email address.

Troy,

I greatly appreciate your patience and persistance with this issue. The config you put together below is the actual config that I have in place (minimum character search equals domain length/return only exact match of mail/return 1 matching result). This works flawlessly with the one exception which I'm trying to correct. That is the error of Cannot Search for Users rather than the No User found when a email entry isn't found or a user pauses after the minimum character limit has been reached and the user hasn't fully populated the correct email.

I used the default LDAP filter and I get the same error.

Not sure if this helps, but when doing a firebug on the page. After the POST occurs for the non-valid user, this response is returned.

 +:var res = { "error": parseInt(1), "message": 'Cannot search for users.', "config_error": parseInt(1) }; res;

That is why I suggested to test without the custom filter first. From the errors I saw you were running into it sounded like the standard search was not correct. Once theat is working then you can add the custom filter.

In my last suggestion I removed the mail=@search@ and changed it to userPrincipalName=@search@ once  you get the basic setup working.

Troy,

I think I've narrowed it down. I believe the issue is that my LDAP query is against a global catalog server. And the response it sends back must be different than querying regular LDAP. I'm still working out the exact details, but long story short. When I point to the LDAP server over 389 I get the No Matches Found. When I point to the Global Catalog I get error of Cannot Search for Users.

Thanks so much for your help!

Curious, on your LDAP server definition for Operator Logins, how are you specifying the GC port (3268) vs. LDAP (389).  Did you put it into the URL field itself?

You can also try and target the root domain in the URL to see if that helps.  I've seen odd issues without it in general (not specific to lookups).

ldap://dc1.domain.com/dc=domain,dc=com

Exactly I put it in as

ldap://dc1.domain.com:3268/dc=domain,dc=com

But now that I've been testing it looks like it might not be the global catalog but the subdomain added at the end.

So using the entry below

ldap://dc1.domain.com:3268/dc=domain,dc=com

I'm able to lookup entries across multiple subdomains but I get the error when I do a lookup for a non-valid entry

With this config

ldap://dc1.domain.com:3268/dc=subdomain,dc=domain,dc=com

I'm restricted to lookups within that subdomain but I do get the No User Found rather than the other Error.

I'm still tinkering with it to try and identify the exact issue.

not sure how many subdomains you have, but what if you add multiple operator servers for each of them.   Troy (if you're still listening), will sponsor lookup look through all the LDAP servers set for "User Search" or can you specifcy certain ones in the search2 function?

Just remember the help button has a lot of the how-tos.

Depending on what side of CPPM you are on it will pull the help for the page you are on. 

Here is a link to the ldap section just replace the CPPM with you server IP address.

https://CPPM/guest/help/Default.htm#OperatorLogins/ExternalOperatorAuthentication.htm%3FTocPath%3DOperator%20Logins%7CExternal%20Operator%20Authentication%7C_____0

Clembo,

I thought about that also. I created several LDAP instances that started at the subdomain level. However the issue is when I get to the Select2 Options in the Sponsor Lookup, I couldn't add two servers to the ajax.args.server. I tried with a comma with no luck. I also referenced the Select2 GitHub pages and couldn't find anything that would help.

http://ivaynberg.github.io/select2/

awesome.. exactly what i'm looking for.. thanks a lot

customer tried the above query,but is takes 20 seconds .How can we fine tune?