CODEWITHSUNDEEP
filterldapwebsphere-libertyapacheds
kweinert
kweinert

Reputation: 125

In-depth LDAP filters reference for Apache DS?

I have been looking everywhere for some information on the filters in my LDAP configuration settings and have yet to come up with a good reference.

Here are two examples on what I am looking for in case I am just using the wrong terminology in my search.

For example in uid=%v and groupIdMap="*:cn", what does the %v represent and what is the point of the colon for the groupIDMap?

Feel free to tell me what either of those mean but I would prefer some sort of reference as I'm sure I'll run into more.

These are from a Liberty Profile and I believe it is ApacheDS in case it matters.

I have access to Safari so feel free to mention any good books I might fin there.

Edit: Thanks based on your comment it looks like those might be specific to WebSphere.

Did a little more poking around in the IBM docs, still no luck but at least it gives me a bit more to go on.

Here's a typical example from an IBM information center. 

<ldapRegistry id="ldap" realm="SampleLdapADRealm" 
    host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true" 
    baseDN="cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com" 
    bindDN="cn=testuser,cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com" 
    bindPassword="testuserpwd"
    ldapType="Microsoft Active Directory" 
    sslEnabled="true" 
    sslRef="LDAPSSLSettings"> 
    <activedFilters
    userFilter="(&amp;(**sAMAccountName=%v**)(objectcategory=user))"
groupFilter="(&amp;(cn=%v)(objectcategory=group))" 
   userIdMap="user:sAMAccountName" 
    **groupIdMap="*:cn"** 
    groupMemberIdMap="memberOf:member" >
</activedFilters>
</ldapRegistry>

Upvotes: 1

Views: 306

Answers (1)

covener
covener

Reputation: 17872

The definition of those parms is here:

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=rwlp_config_ldapRegistry

%v is the HTTP or form-based username as input.

The manual is clearly wrong about the description of the *map properties, but if you look at the default for a more complex one, groupMemberIdMap, you can see what they're going for here:

"groupOfNames:member;groupOfUniqueNames:uniqueMember"

When the server is looking at a group of class groupOfNames, it looks for member entries. And the mapping is just slightly different when the groups are instead class of groupOfUniqueNames

So *:cn in the simpler groupIDMap is a wildcard that says when determining the ID of a group, always just take the CN. But it retains some flexibility.

Upvotes: 2

Related Questions