Password Policy Create Search Expression Dialog

The dialog contents change depending on the directory type.
casso127
HID_password-policy-search-expression-dialog
The Create Search Expression Editor is where you use search expressions to locate users that you want to add to a password policy. Search expressions can bind users to a password policy based on attributes that appear in user, group, and organization profiles.
The dialog contents change depending on the directory type.
  • Active Directory User Directories
    For Active Directory (AD) user directories, the User Directory Search Expression Editor pane contains the following settings:
    • Manual Entry Field
      Specifies a search filter for the Active Directory user directory.
    • Validate Entry Check Box
      Specifies whether the search filter is validated before the entry is added to the Active Directory user directory.
      Note:
      If validation of the Active Directory search filter fails, clear this check box.
      Default:
      Selected
  • LDAP User Directories
    For LDAP User directories, the User Directory Search Expression Editor contains the following settings:
    • Where to Search Group Box
      Specifies the type of attribute for the search. The following options are available:
      Validate DN
      Verifies the user's DN. Enter a complete DN for the LDAP user directory and click OK. Any valid DN entry is then added to the list of users in the User Directory dialog.
      Search Users
      Indicates that the search is limited to matches in user entries.
      Search Groups
      Indicates that the search is limited to matches in group entries.
      Search Organizations
      Indicates that the search is limited to matches in organization entries (organizations and organizational units).
      Search Any Entry
      Indicates that the search includes all entries in the directory.
    • Condition Group Box
      Specifies the LDAP or AD attributes included in the search criteria. In the Please Select drop-down list, select the attribute. In the next drop-down list, select the operator (contains, approx, greaterOrEqual, equals, lessOrEqual). In the third field, enter the value for the condition.
      Example condition:
      uid equals Tuser1
      Add
      Adds the search condition to the Manual Entry, Infix Notation, and LDAP Notation group boxes.
    • Infix Notation Group Box
      Lists all the conditions you defined using the Where to Search and Condition group boxes.
      You can edit the conditions in an expression using the And/Or, Modify, Not, Remove buttons. To edit a condition, select the condition string in the Infix Notation field then click a button to modify it.
      By default, the second and all subsequent conditions are added to the Infix Notation group box with an "and" operator.
      The buttons operate as follows:
      And/Or
      With the second or subsequent condition selected, places an And/Or operator between two strings. You must have two conditions already defined to use the And/Or operator. Selecting one condition string and clicking And/Or toggles between adding two conditions that both must be satisfied during a search or specifying that only one or the two conditions must be satisfied.
      Modify
      Opens the Edit dialog, which allows you to reenter the condition statement.
      Not
      Places the word "not" in front of a condition string. The Not operator enables you to exclude a user from a password policy.
      Remove
      Deletes the condition string.
      Add()
      With two or more strings selected, adds parentheses to the selected conditions.
      Remove()
      With two or more strings selected, removes the parentheses from the selected conditions.
    • LDAP Notation Group Box
      Displays the complete search expression that you have constructed.
  • ODBC and WinNT Directories
    For ODBC and WinNT user directories, the User Directory Search Expression Editor contains the following settings:
    • Manual Entry Group Box
      Specifies a manually entered search expression. For Microsoft SQL Server and Oracle, enter a user name or an SQL query. For WinNT, enter a user name.
      Example SQL query for ODBC Databases
      SELECT NAME FROM EMPLOYEE WHERE JOB =’MGR’;
      The Policy Server performs the query as the database user specified in the Username field of the Credentials and Connection tab for the user directory. Before you construct the SQL query, become familiar with the database schema for the user directory. For example, if you are using the SmSampleUsers schema and want to add specific users, you could select from the SmUser table.
      Note the following:
      • If the manual entry query does not contain a WHERE statement, the WHERE statement from the Init User query field is appended. For example:
        Init User:
        Select Name from SmUser where Name = ’%s’
        Manual Entry:
        Select Name from customers
        Result:
        Select Name from customers where Name = ’%s’
      • If the manual entry query contains a WHERE statement, the portion of the query following the Init User WHERE statement is appended. For example:
        Init User:
        Select Name from SmUser where Name = ’%s’
        Manual Entry
        : Select Name from customers where balance > 1000
        Result:
        Select Name from customers where balance > 1000 and Name = ’%s’