It's all about the answers!

Ask a question

Constraining LDAP authentication to a subset of records

Bob Newman (1123) | asked Mar 14 '12, 4:38 p.m.
How can I configure LDAP authentication to constrain the directory entries searched to a subset of entries that have an EmployeeType attribute value of either P or C?

The fields "user's distinguished name", "LDAP user base searching", and "User search filtering" look interesting, but after reading I'm still uncertain about how to approach this, and if the condition (P or C) can be supported.

In case I didn't make this clear up front, in this directory one of the many attributes stored for each employee record is EmployeeType. The use case is to allow only those individuals with EmployeeType of P or C to authenticate to RAM; all others in the directory would be ignored.


One answer

permanent link
Rich Kulp (3.6k38) | answered Mar 14 '12, 5:41 p.m.
You have to know LDAP.

LDAP user base searching only allows DN (Distinguished Names), so no attribute testing can be added to that.

User search filtering may work. But you will need to be careful that you add the search restriction to both the User search filtering in the WAS console and in the RAM configuration page or you will not get matching results back.

For example the default user search:


Says "mail=%v" "AND (&)" "objectclass=person"

The %v is simply a variable and is the value a user typed in on the search. So this is looking for a user that has mail=what the user typed in and the objectclass attribute must be person.

Your answer

Register or to post your answer.