LDAP Filter Query—Define Dynamic Group Query Parameters

Enterprise Administration Guide › Administering CA ControlMinder Enterprise Management › Users, Groups, and Administrative Roles › Types of Groups › LDAP Filter Query—Define Dynamic Group Query Parameters

LDAP Filter Query—Define Dynamic Group Query Parameters

You create a dynamic group by defining an LDAP filter query using the CA ControlMinder Enterprise Management to determine group membership at runtime.

This filter query has the following format:

LDAP:///search_base_DN??search_scope?searchfilter

search_base_DN

Defines the point from where you begin the search in the LDAP directory. If you do not specify the base DN in the query, then the group organization is the default base DN.

search_scope

Specifies the extent of the search and includes:

sub—Returns entries at the base DN level and below.
one—Returns entries one level below the base DN you specify in the URL.
base—Uses one instead, ignoring base as a search option.

Using one or base obtains only the users in the Base DN organization.

Using sub obtains all users under the Base DN organization and all sub- organizations in the tree.

searchfilter

Defines the filter that you want to apply to entries within the scope of the search. When you enter a search filter, use the standard LDAP query syntax as follows:

([logical_operator]Comparison)

logical operator

Defines a logical operator. Can be one of:

|—Logical OR
&—Logical AND
!—Logical NOT

Comparison

Defines AttributeOperatorValue

Attribute—Defines the name of the LDAP attribute.
Operator—Specifies the comparison operator. Can be one of: = (equals), <= (less than or equals), >= (greater than or equals), or ~= (approximately equals).
Value—Defines the value for the attribute data.

Example: (&(city=Boston)(state=Massachusetts))

Default: (objectclass=*)

Note the following when creating a dynamic query:

The "LDAP" prefix must be lowercase, for example:
```
ldap:///o=MyCorporation??sub?(title=Manger)
```
You cannot specify the LDAP server host name or port number. All searches occur within the LDAP directory that you configured for your environment.

Example: Sample LDAP Queries

The following are sample LDAP queries:

Description	Query
All users who are managers.	ldap:///o=MyCorporation??sub?(title=Manger)
All managers in the New York West branch office	ldap:///o=MyCorporation??one?(&(title=Manager) (office=NYWest))
All technicians with a cell phones	ldap:///o=MyCorporation??one? (&(employeetype=technician) (mobile=*))
All employees with employee numbers from 1000 through 2000	ldap:///o=MyCorporation, (& (ou=employee) (employeenumber >=1000) (employeenumber <=2000))
All help desk administrators who have been employed at the company for more than six months	ldap:///o=MyCorporation,(& (cn=helpdeskadmin) (DOH => 2004/04/22) Note: This query requires that you create a DOH attribute for the user date of hire.

Note: The > and < (greater than and less than) comparisons are lexicographic, not arithmetic. For details on their use, see the documentation for your LDAP directory server.