How to Use SearchBase DN and Filtering Specifications

Using the Command Line Utilities › hauthtst Command-Authentication Server API Test › How to Use SearchBase DN and Filtering Specifications

How to Use SearchBase DN and Filtering Specifications

The LDAP Authentication Server API uses an OpenLDAP filter specification to help select the proper user account container from a set of all entries associated with the SearchBase DN (for example, the ‑ldapbasedn parameter). The filter specification uses a pre-fix operator format, rather than the more common in-fix operator format. For example, the default filter is the following expression:

(&(objectclass=person)(uid=<uid>))

This expression means: Search for directory entries that meet both of the following criteria:

The user name attribute (uid) value equals the requested user identifier
The object class attribute value equals “person”
In some cases, this level of filtering is insufficient. For example, on certain directories that have computer containers and user account containers, the previous filter may return a computer container entry for the user rather than the user account container. In such cases, refine the filter to exclude computer node entries, for example:
```
(&(!(objectclass=computer))(&(objectclass=person)(uid=<uid>)))
```

This expression means: Search for directory entries that meet all of the following criteria:

The user name attribute (uid) value equals the requested user identifier
The object class attribute value equals “person”
The object class attribute value does not equal “computer”

The time required for the search depends mostly on the selection of the Search Base DN. For example, the following expression searches an entire domain:

DC=mydomain,DC=com

When searching large domains, you can reduce the search time by limiting the search to a specific portion of the entire domain, for example:

OU=North America, DC=mydomain,DC=com