LDAP search filter recommendations - j5 - 30 - Installation & Upgrade - Hexagon

j5 Installation and Upgrade

Language
English
Product
j5
Search by Category
Installation & Upgrade
j5 Version
30

The Search Constraints (defined on the LDAP Connection setting screen) and Login Attributes (defined on the Authentication Configuration setting screen) use the LDAP search filter syntax (RFC2254). These filters limit which users j5 searches for in Active Directory. A search with these constraints and the additional constraint "(objectCategory=Person)" needs to return all of the users j5 should import.

The easiest way to achieve this is to create a special group to represent all users relevant to j5, and add all of the users that j5 needs to find for that group.

As an example:

  • Create a group with distinguished name (DN) of "CN=j5-Users,OU=Groups,DC=example,DC=com".

  • Add each j5 user to that group. This means each user that needs to be synchronized will have that DN in their "memberOf" attribute.

  • Configure the Search Constraints to search on group membership, escaping commas in values with backslashes. Using our example, you would set the search constraints to: memberOf=CN=j5-Users\,OU=Groups\,DC=example\,DC=com,DC=example,DC=com. This specifies that all of the users imported by j5 should have "CN=j5-Users,OU=Groups,DC=example,DC=com" in their memberOf attribute, and also fall hierarchically under "DC=example,DC=com".

When using memberOf in your search constraints, j5 returns the users that are found directly within the specified group and not the users found in child groups of the specified group.

The following more advanced example authenticates members of the ActiveDirectory group j5-Users:

memberOf=CN=j5-Users\,dc=brietree\,dc=sjsoft\,dc=com,dc=brietree,dc=sjsoft,dc=com

You can use backslashes to escape commas, or you can use double-quotes around the attribute (memberOf="CN=j5-Users,DC=brietree,DC=sjsoft,DC=com"). Single-quotes do not work.

Building a search filter

memberOf=SearchString,AuthenticationString

SearchString: CN=SomeGroupName, OU=SomeTopLevelOrganizationUnitHeirarcy[, OU=NextLevelOUintheHeirarchy ...], DC=PartOfTheDomainName[, DC=OtherPartsOfTheDomainName ...]

The text of this string must be surrounded by double-quotes or have the commas escaped with a slash ‘\’

  • Example with escaped commas: j5-Users\,ou=AppGroups\,dc=brietree\,dc=sjsoft\,dc=com

  • Example with double quotes: ”CN=j5-Users,ou=AppGroups,dc=brietree,dc=sjsoft,dc=com”

AuthenticationString: DC=PartOfTheDomainName[, DC=OtherPartsOfTheDomainName ...]

This is the domain into which the LDAP connection will authenticate. This section of the string should not be in quotes or have escaped commas.

  • Example: dc=brietree,dc=sjsoft,dc=com

  • Example using double-quotes: memberOf=”CN=j5-Users,ou=AppGroups,dc=brietree,dc=sjsoft,dc=com”,dc=brietree,dc=sjsoft,dc=com

  • Example using escaped-commas: memberOf=CN=j5-Users\,ou=AppGroups\,dc=brietree\,dc=sjsoft\,dc=com,dc=brietree,dc=sjsoft,dc=com

This is looking for the j5-Users group within the AppGroups organization unit in the domain brietree.sjsoft.com; Authenticating into brietree.sjsoft.com

LDAP Data Interchange Format

  • dn: distinguished name

    This refers to the name that uniquely identifies an entry in the directory.

  • dc: domain component

    This refers to each component of the domain. For example www.mydomain.com would be written as DC=www,DC=mydomain,DC=com

  • ou: organizational unit

    This refers to the organizational unit (or sometimes the user group) that the user is part of. If the user is part of more than one group, you may specify as such, e.g., OU= Lawyer,OU= Judge.

  • cn: common name

    This refers to the individual object (person's name; meeting room; recipe name; job title; etc.) for whom/which you are querying.