I2A2 LDAP Filters
LDAP filters define or augment the criteria for locating an entity in a directory. I2A2 LDAP supports LDAP filters.
A new Characteristic Expression (chx) filter attribute, defined in the
I2A2 Schema, allows I2A2
authorization characteristic Boolean
expressions to be represented in filters.
These attributes (with examples) can be used in I2A2 LDAP filters.
Characteristic Boolean expression: (chx=1234&8765)
Common name: cn=alfred e newman
Given name: givenName=alfred
PUID: puid=10284869
Surname: sn=newman
UserID: uid=foobar
Attributes
The I2A2 LDAP Attributes are described
here.
Using Characteristic Expression Filters When the chx attribute is used to supply an I2A2
authorization characteristic Boolean
expression to the I2A2 authorizer DBM (ou=authorize), there are three basic rules that should be followed to achieve
satisfactory results.
-
The PUID to be tested must be supplied in the RDN or in a filter component.
-
There should be only one chx filter component. Use the Boolean expression operators to form a complex expression instead
of using the LDAP filter operators.
- A chv result will be returned only if the full filter expression evaluates to TRUE (1). If only a chx component is specified and it evaluates to FALSE (0), no chv result will be returned, because the full filter value is FALSE. The easiest circumvention is to identify the PUID in a puid or uid filter component that is or'd with a chx component.
Here's a complete example that uses a puid filter component to make sure the chv result of the chx filter component is returned.
DN: puid=10284869,ou=authorize,dc=purdue,dc=edu
Filter: (|(puid=10284869)(chx=1234&8765))
Characteristic Expression Filter Return Value When a characteristic expression filter is specified
and I2A2 LDAP finds the requested PUID, the characteristic expression's value will be returned in a chv attribute, provided
the overall value of the full filter expression is TRUE (1).
If the characteristic expression filter component evaluates to FALSE, but some other filter component causes the full filter
expression to evaluate TRUE, then the attributes of the specified PUID, including the FALSE value of the characteristic
expression filter component, will be returned. Here's an example:
DN: puid=10284869,ou=authorize,dc=purdue,dc=edu
Filter: (|(puid=10284869)(chx=1234&8765))
Provided PUID 10284869 is known to the authorizer DBM, and even though the chx filter expression evaluates to FALSE, this chv attribute will be returned:
chv=(chx=1234&8765)=0
Other attributes will be returned as appropriate -- e.g., alias, common name, PUID, etc.
Filter Errors Following these basic filter construction rules is important to avoiding filter errors.
- If you're searching by name, use the cn attribute.
- A filter must be enclosed in parentheses and the parentheses in a filter must balance.
- If a PUID is given in a filter, its check digit must be correct. (See Luhn Check Digit.)
When either of these rules is violated the most likely I2A2 LDAP protocol converter response will be "no search
criteria. That response is given because the protocol converter's parsing of the filter didn't yield any keys that
could be supplied in a DBM lookup request.
If your filter yields unexpected results, please send the filter in e-mail exactly
as you supplied it to the I2A2 LDAP protocol converter.