User Directory Search Expression Editor
The dialog contents change depending on the directory type.
casso126
HID_user-directory-search-expression-editor
The dialog contents change depending on the directory type.
- Active Directory User DirectoriesFor Active Directory (AD) user directories, the User Directory Search Expression Editor pane contains the following settings:
- Manual Entry FieldSpecifies a search filter for the Active Directory user directory.
- Validate Entry Check BoxSpecifies whether the search filter is validated before the entry is added to the Active Directory user directory.Note:If validation of the Active Directory search filter fails, clear this check box.Default:Selected
- LDAP User DirectoriesFor LDAP User directories, the User Directory Search Expression Editor pane contains the following settings:
- Where to Search Group BoxSpecifies the type of attribute for the search. The following options are available:Validate DNVerifies the user's DN. Enter a complete DN for the LDAP user directory and click OK. Any valid DN entry is then added to the list of users in the User Directory dialog.Search UsersIndicates that the search is limited to matches in user entries.Search GroupsIndicates that the search is limited to matches in group entries.Search OrganizationsIndicates that the search is limited to matches in organization entries (organizations and organizational units).Search Any EntryIndicates that the search includes all entries in the directory.
- Condition Group BoxSpecifies the LDAP or AD attributes included in the search criteria. In the Please Select drop-down list, select the attribute. In the next drop-down list, select the operator (contains, approx, greaterOrEqual, equals, lessOrEqual). In the third field, enter the value for the condition.Example condition:uid equals Tuser1AddAdds the search condition to the Manual Entry, Infix Notation, and LDAP Notation group boxes.
- Infix Notation Group BoxLists all the conditions you defined using the Where to Search and Condition group boxes.You can edit the conditions in an expression using the And/Or, Modify, Not, Remove buttons. To edit a condition, select the condition string in the Infix Notation field then click a button to modify it.By default, the second and all subsequent conditions are added to the Infix Notation group box with an "and" operator.The buttons operate as follows:And/OrWith the second or subsequent condition selected, places an And/Or operator between two strings. You must have two conditions already defined to use the And/Or operator. Selecting one condition string and clicking And/Or toggles between adding two conditions that both must be satisfied during a search or specifying that only one or the two conditions must be satisfied.ModifyOpens the Edit dialog, which allows you to reenter the condition statement.NotPlaces the word "not" in front of a condition string. The Not operator enables you to exclude a user from a policy.RemoveDeletes the condition string.Add()With two or more strings selected, adds parentheses to the selected conditions.Remove()With two or more strings selected, removes the parentheses from the selected conditions.
- LDAP Notation Group BoxDisplays the complete search expression that you have constructed.
- ODBC and WinNT DirectoriesFor ODBC and WinNT user directories, the User Directory Search Expression Editor pane contains the following settings:
- Manual Entry Group BoxSpecifies a manually entered search expression. For Microsoft SQL Server and Oracle, enter a user name or an SQL query. For WinNT, enter a user name.Example SQL query for ODBC DatabasesSELECT NAME FROM EMPLOYEE WHERE JOB =’MGR’;The Policy Server performs the query as the database user specified in the Username field of the Credentials and Connection tab for the user directory. Before you construct the SQL query, become familiar with the database schema for the user directory. For example, if you are using the SmSampleUsers schema and want to add specific users, you could select from the SmUser table.Note the following:
- If the manual entry query does not contain a WHERE statement, the WHERE statement from the Init User query field is appended. For example:Init User:Select Name from SmUser where Name = ’%s’Manual Entry:Select Name from customersResult:Select Name from customers where Name = ’%s’
- If the manual entry query contains a WHERE statement, the portion of the query following the Init User WHERE statement is appended. For example:Init User:Select Name from SmUser where Name = ’%s’Manual Entry: Select Name from customers where balance > 1000Result:Select Name from customers where balance > 1000 and Name = ’%s’