NOTE: This document is not meant to replace the official documentation regarding LDAP authentication in DMS, but to serve as an addition.
Please refer to the following URL for the basic configuration steps:
http://www.cisco.com/en/US/docs/video/digital_media_systems/5_x/5_1/dmm/user/guide/admin.html#wp1088277
Defining LDAP filters
In the Administration > Settings > Authentication > Define Filter screen, the User Base DN defines which subtree to import the users from and usually will look something like this:
cn=Users,dc=MYCOMPANY,dc=COM
The User Filter is a filter in LDAP format that allows you to select only those users under the Base DN that match certain criteria.
Example 1: Select all users under the Base DN
(objectClass=user)
Example 2: Select all users that are member of group CN=DMMusers
(memberOf=CN=DMMusers,CN=Users,DC=MYCOMPANY,DC=COM)
Note that this will automatically select only objects of class user, but will generate warnings for non-user objects (e.g. group objects). To avoid those warnings, create a filter that combines the above example with the one in example 1, with a logical AND:
(&(objectClass=user)(memberOf=CN=Engineering,CN=Users,DC=MYCOMPANY,DC=COM))
I.e. select all objects that are of class 'user' AND have the attribute memberOf with a value of CN=Engineering...
Example 3: Select all users that are member of CN=Sales or CN=Engineering
Similarly to the AND construct above, we can use the | symbol to construct a logical OR of two (or more) filters: (|(filter1)(filter2)).
(|(memberOf=CN=Sales,CN=Users,DC=MYCOMPANY,DC=COM)(memberOf=CN=Engineering,CN=Users,DC=MYCOMPANY,DC=COM))
Example 4: Select all users that are member of a Group or its subgroups
Assume you have a group CN=Employees, which has multiple other groups as members: CN=Sales and CN=Engineering, possibly multiple levels deep.
Problem: all users are a member of one or more subgroups, not of Employees directly, so we cannot simply filter for memberOf=CN=Employees.
Constructing a filter as in example 3 would be cumbersome and difficult to maintain.
The solution is to use the following special construct that searches for all users in the given group and all of its subgroups (and subgroups of the subgroups, etc.):
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Employees,CN=Users,DC=MYCOMPANY,DC=COM))
Links
A good reference for the filter syntax is available from Microsoft at http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx
When testing and trying to find the right filter, you may have to repeatedly create, test and delete your filter. It may be easier to use an LDAP browser like the one at http://www.ldapadministrator.com/download.htm. This will connect to your LDAP server and offers a search feature where you can enter the Base DN and Filter in the same syntax as in DMM (Note: the download page offers both the free Browser tool and the trial version of Administrator - the Browser tool is sufficient to test your filters).