PSD1145 – PIM functions for LDAP Queries

Summary

This PhenixID Solution Document (PSD) is written for PhenixID Identity Manager (IM) 5.4.0 and above.

When writing an LDAP search filter in IM, there are some special words that can be used to insert values when the search is run. Some of these special words can also be used in the search base for the search.

System Requirements

• PhenixID Identity Manager

Special Words in Search Filter

MyDN

This will be exchanged by the logged in user’s DN.
Example. You like to show all users that has your account as manager. Create a predefined search with LDAP query directReports=MyDN

ThisDN

This will be exchanged by the DN for the currently edited object.

ThisDN(attributeName)

If you, for example, opens a group and like to list only users that has a value in an attribute (e.g. carLicense) that match the value of an attribute on the group object (adminDescription). In this scenario an LDAP query could look like:
(carLicense=ThisDN(adminDescription))

LDAP() and MLDAP() functions

The LDAP function has been around for some years. With PIM 5.6.6 we added MLDAP function because of some shortcomings of the LDAP function. LDAP function still works just like before. MLDAP function includes all feature of LDAP function.

Both function solves the use case to compare values on the object logged in with the results from a search. If you are logged in and you have for example the attribute Company=Contoso and you like to list all user with the same value (Contoso) in the same or in another attribute the LDAP/MLDAP function can be used.
The shortcoming of LDAP function is if you as logged in user have for example have two or more values in a multi-value attribute.
With MLDAP function we added support to have more than one value for the logged in user. For example, if logged in user have businessCategory=Value1 and businessCategory=Value2 you can have a predefined search list all user with either Value1 and Value2. With LDAP function only one of the values of logged in user would have been used.

MLDAP includes all features of the LDAP function. MLDAP can if not used correctly add a load to the LDAP server since the LDAP query can become complex.

We will us a couple of examples to describe the two different functions

Example 1

A teacher is responsible for more than one class and all class information are stored in LDAP attributes for teachers and students.
Class belongings for teachers are stored in LDAP attribute: url
Class belongings for students are stored in LDAP attribute: carLicense

Below KalleTeacher is a teacher and BillStudent and BjornStudent are students.
KalleTeacher login and have a predefined search called My students:, showing all his students.

KalleTeacher url:7A and 8A
BillStudent carLicense:7A
BjornStudent carLicense:8A

Using the LDAP search function the predefined search would have the query:
url=LDAP(carLicense)
LDAP function only uses the first result it will find, if the returned value would be url=7A only BillStudent will be returned as result for BillTeacher.
So with LDAP function the result would be:
My students : BjornStudent
In this scenarion, LDAP function would not be a good fit. If all teacher always only have one value (one class) it would have worked fine.

Using the MLDAP search function the predefined search would have the query:
url=MLDAP(carLicense)
MLDAP function uses all results it will find.
So with MLDAP function the result would be:
My students
– BjornStudent
– BillStudent
In this scenarion, MLDAP function would be a good fit.

Example 2

The result for teacher and students to view is based on both School and Class.

KalleTeacher
url:7A and 8A
businessCategory:School1 and School2
BillStudent
carLicense:7A
adminDescription:School1
BjornStudent
carLicense:8A
adminDescription:School2

This is also where the MLAP function must be used.

The predefined search LDAP query would look like:
(&(carLicense=MLDAP(url))(adminDescription=MLDAP(businessCategory)))

The query send by PIM to LDAP would look like:
(&(|(carLicense=8A)(carLicense=7A))(|(adminDescription=School2)(adminDescription=School1)))

$$TODAY$$

This will be exchanged by the current date in generalized time format. It is also possible to add or remove days to/from the current date. To get the date of tomorrow use $$TODAY+1$$, and to get the date of yesterday use $$TODAY-1$$.

$$MSTODAY$$

This will be exchanged by the current date in Microsoft time format. It is also possible to add or remove days to/from the current date. To get the date of tomorrow use $$MSTODAY+1$$, and to get the date of yesterday use $$MSTODAY-1$$.

Special Words in Search Base

MyDN

This will be exchanged by the logged in user’s DN.

ThisDN

This will be exchanged by the DN for the currently edited object.