DIRECTORY SERVICES


Configuring search filters in a Directory Assistance document for a remote LDAP directory
If servers use directory assistance to search a remote LDAP directory, you can use the field "Type of search filter to use" in the Directory Assistance document for the directory to control which LDAP search filters are used to search the directory. The following choices are available.
Search filter optionDescription
Standard LDAP (Default)Uses standard LDAP search filters that work with most LDAP directory servers, including IBM® Lotus® Domino®, IBM® Directory Server, Sun ONE Directory Server.
Active DirectoryUses predefined search filters that work with Active Directory servers. Select this option if the remote LDAP directory is Active Directory.

Note Each attribute in a search filter should be indexed in Active Directory. Otherwise search performance is slow and search results can be unreliable.

CustomUse to define your own search filters.
Note The Active Directory search filter option replaces the Release 5 NOTES.INI setting WebAuth_AD_Group, which allowed for searches of Active Directory groups.

Defining custom search filters
You might need to define custom search filters if searches are not returning results or are returning results for the wrong entries. This situation can occur if the remote LDAP directory server uses a non-standard schema. Typically, custom filters are targeted at a particular attribute that can be used to produce unique, efficient matches - unique in that the attribute value is different for each entry, efficient in that there is an index or some other fast mechanism to ensure quick searches.

Selecting "Custom" in the "Type of search filter to use" field displays the following three fields used to define the custom search filters.
Custom search filter fieldDescription
Mail FilterIf directory assistance is configured so that Notes users can look up mail addresses in the directory, this search filter is used to look up the names in the directory. Leave the field blank to use the following default search filter:

(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))

If a user specified "Pat Smith" in a mail recipient field, the resulting filter used on the LDAP search request would be:

(|(cn=Pat Smith)(|(&(sn=Pat)(givenname=Smith))(&(sn=Smith)(givenname=Pat))))

You may want to customize the mail filter if users always type in their UID attribute in a mail recipient field. The custom filter would look similar to the following:

(uid=%*)

With this filter, if a user specified "BAK12345" in a mail recipient field the resulting filter used on the LDAP search request would be:

(uid=BAK12345)

Authentication FilterIf directory assistance is configured to trust a remote LDAP directory for client authentication, this filter is used to look up a name in the directory. Leave the field blank to use the following default search filter:

(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))

If a user specified "Maryanne Brown" in the HTTP login prompt, the resulting filter used on the LDAP search request would be:

(|(cn=Maryanne Brown)(|(&(sn=Maryanne)(givenname=Brown))(&(sn=Brown)
(givenname=Maryanne))))

You may want to customize the authentication filter if users typically specify their employee ID or mail attribute at the login prompt. In this case, the custom filter would look similar to:

(|(employeeID=%*)(mail=%*))

So, if a user specified "MB12345" at the login prompt, the resulting filter used on the LDAP search request would be:

(|(employeeID=AS12345)(mail=AS12345))

Authorization FilterSpecify a search filter to use to look up the members of groups for Notes database authorization. Leave the field blank to use the following default search filter:

(|(&(objectclass=groupOfUniqueNames)(UniqueMember=%*))
(&(objectclass=groupOfNames)(Member=%*)))

In this case, a membership lookup on "cn=June Day,ou=Westford,o=Acme" would result in the following filter on the search request:

(|(&(objectclass=groupOfUniqueNames)(UniqueMember=
cn=June Day,ou=Sales,o=Acme))(&(objectclass=groupOfNames)
(Member=cn=June Day,ou=Sales,o=Acme)))

If the LDAP server that is enabled for ACL group expansion stores the groups with an objectClass of aclGroup, then you may want to specify the following custom filter:

(&(objectclass=aclGroup)(Member=%*))

In this case a membership lookup on "cn=June Day,ou=Sales,o=Acme" would use the following filter on the LDAP search request:

(&(objectclass=aclGroup)(Member=cn=June Day,ou=Sales,o=Acme))

To define custom search filters, you should be familiar with valid search filter syntax described in RFCs 2251 and 2254.

Syntax for custom LDAP search filters
To define a custom search filter, insert parameters into standard LDAP search filters to represent a part of the names being searched for.
Name partDefined asExample of name part (in bold)Parameter to insert to represent name part
First nameThe set of characters from the first character to the first space or punctuationAlex M Davidson%a
Last nameThe set of characters from the last space or punctuation to the last characterAlex M Davidson%z
Whole nameThe entire nameAlex M Davidson%*
Local partLocal part of an RFC 822 mail addressamd@acme.com%l
Domain partDomain part of an RFC 822 mail addressamd@acme.com%d
Any string valueThe string value of the attribute or object that is being searched for.For example, if a search contains a filter where "uid=%s", then the name part represented by %s in this case is amd.%s

Examples of custom LDAP search filters
Name searched forSearch filter formula in Directory Assistance documentSearch filter used to search for the name
Alex M Davidson(|(givenname=%a)(sn=%z)
(cn=%*)(mail=%l))
(|(givenname=Alex)(sn=Davidson)
(cn=Alex M Davidson)(mail=""))
amd(EmpID=%*)(EmpID=amd)
amd(EmpID=%z)(EmpID="")
amd(mail=%*@acme.com)(mail=amd@acme.com)
amd(mail=%*@*)(mail=amd@*)
amd@acme.com(mail=*@%d)(mail=*@acme.com)
amd@acme.com(mail=%*)(mail=amd@acme.com)
amd@acme.com(uid=%l)(uid=amd)
blue(color=%*)(color=blue)
Related topics