Configuring search filters in a Directory Assistance document for a remote LDAP directory

For servers that use directory assistance to search a remote LDAP directory, you can control which LDAP search filters are used to search the directory. Use the Type of search filter to use field in the Directory Assistance document for the directory whose to control which LDAP search filters are used to search the directory.

About this task

You specify which LDAP search filters are used to search the directory in the Type of search filter to use field in the Directory Assistance document for the directory whose search filters you want control.

Table 1. LDAP search filter options

Search filter option

Description

Standard LDAP (Default)

Uses standard LDAP search filters that work with most LDAP directory servers.

Active Directory

Uses predefined search filters that work with Active Directory servers. Select this option if the remote LDAP directory is Active Directory.

Note: Each attribute in a search filter should be indexed in Active Directory. Otherwise search performance is slow and search results can be unreliable.

This option replaces the Release 5 NOTES.INI setting WebAuth_AD_Group, which allowed for searches of Active Directory groups.

Custom

Use to define your own search filters.

Defining custom search filters

About this task

You might need to define custom search filters if searches are not returning results or are returning results for the wrong entries. This situation can occur if the remote LDAP directory server uses a nonstandard schema. Typically, custom filters are targeted at a particular attribute that can be used to produce unique, efficient matches - unique in that the attribute value is different for each entry, efficient in that there is an index or some other fast mechanism to ensure quick searches.

To define custom search filters, you should be familiar with valid search filter syntax described in RFCs 2251 and 2254.

Select Custom in the Type of search filter to use field and specify how you want to define the custom search filter:

Table 2. Fields used to define the custom search filters

Custom search filter field

Description

Mail Filter

If directory assistance is configured so that HCL Notes® users can look up mail addresses in the directory, this search filter is used to look up the names in the directory. Leave the field blank to use the following default search filter:

(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a)))) 

If a user specified "Pat Smith" in a mail recipient field, the resulting filter used on the LDAP search request would be:

(|(cn=Pat Smith)(|(&(sn=Pat)(givenname=Smith))(&(sn=Smith)(givenname=Pat))))

You may want to customize the mail filter if users always type in their UID attribute in a mail recipient field. The custom filter would look similar to the following:

(uid=%*)

With this filter, if a user specified BAK12345 in a mail recipient field the resulting filter used on the LDAP search request would be:

(uid=BAK12345)

Authentication Filter

If directory assistance is configured to trust a remote LDAP directory for client authentication, this filter is used to look up a name in the directory. Leave the field blank to use the following default search filter:

(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))

If a user specified "Maryanne Brown" in the HTTP login prompt, the resulting filter used on the LDAP search request would be:

(|(cn=Maryanne Brown)(|(&(sn=Maryanne)(givenname=Brown))(&(sn=Brown)(givenname=Maryanne))))

You may want to customize the authentication filter if users typically specify their employee ID or mail attribute at the login prompt. In this case, the custom filter would look similar to:

(|(employeeID=%*)(mail=%*))

So, if a user specified "MB12345" at the login prompt, the resulting filter used on the LDAP search request would be:

(|(employeeID=AS12345)(mail=AS12345))

Authorization Filter

Specify a search filter to use to look up the members of groups for Notes® database authorization. Leave the field blank to use the following default search filter:

(|(&(objectclass=groupOfUniqueNames)(UniqueMember=%*))(&(objectclass=groupOfNames)(Member=%*)))

In this case, a membership lookup on "cn=June Day,ou=Westford,o=Renovations" would result in the following filter on the search request:

(|(&(objectclass=groupOfUniqueNames)(UniqueMember=cn=June Day,ou=Sales,o=Renovations))(&(objectclass=groupOfNames)(Member=cn=June Day,ou=Sales,o=Renovations)))

If the LDAP server that is enabled for ACL group expansion stores the groups with an objectClass of aclGroup, then you may want to specify the following custom filter:

(&(objectclass=aclGroup)(Member=%*))

In this case a membership lookup on "cn=June Day,ou=Sales,o=Renovations" would use the following filter on the LDAP search request:

(&(objectclass=aclGroup)(Member=cn=June Day,ou=Sales,o=Renovations))

To define custom search filters, you should be familiar with valid search filter syntax described in RFCs 2251 and 2254.

Syntax for custom LDAP search filters

About this task

To define a custom search filter, insert parameters into standard LDAP search filters to represent a part of the names being searched for.

Table 3. Parameters to use in standard LDAP search filters

Name part

Defined as

Example of name part (in bold)

Parameter to insert to represent name part

First name

The set of characters from the first character to the first space or punctuation

Alex M Davidson

%a

Last name

The set of characters from the last space or punctuation to the last character

Alex M Davidson

%z

Whole name

The entire name

Alex M Davidson

%*

Local part

Local part of an RFC 822 mail address

amd@renovations.com

%l

Domain part

Domain part of an RFC 822 mail address

amd@renovations.com

%d

Any string value

The string value of the attribute or object that is being searched for.

For example, if a search contains a filter where "uid=%s", then the name part represented by %s in this case is amd.

%s

Examples of custom LDAP search filters

Table 4. Examples of custom LDAP search filters
Name searched for Search filter formula in Directory Assistance document Search filter used to search for the name
Alex M Davidson
(|(givenname=%a)(sn=%z) (cn=%*)(mail=%l))
(|(givenname=Alex)(sn=Davidson)
(cn=Alex M Davidson)(mail="")) 
amd
(EmpID=%*)
(EmpID=amd)
amd
(EmpID=%*)
(EmpID="")
amd
(mail=%*@renovations.com)
(mail=amd@renovations.com)
amd
(mail=%*@*)
(mail=amd@*)
amd@renovations.com
(mail=*@%d)
(mail=*@renovations.com)
amd@renovations.com
(mail=%*)
(mail=amd@renovations.com)
amd@renovations.com
(uid=%l)
(uid=amd)
blue
(color=%*)
(color=blue)