cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12422
Views
5
Helpful
1
Comments
Herbert Baerten
Cisco Employee
Cisco Employee

NOTE: This document is not meant to replace the official documentation regarding LDAP authentication in DMS, but to serve as an addition.

Please refer to the following URL for the basic configuration steps:

http://www.cisco.com/en/US/docs/video/digital_media_systems/5_x/5_1/dmm/user/guide/admin.html#wp1088277

Defining LDAP filters

In the Administration > Settings > Authentication > Define Filter screen, the User Base DN defines which subtree to import the users from and usually will look something like this:

cn=Users,dc=MYCOMPANY,dc=COM

The User Filter is a filter in LDAP format that allows you to select only those users under the Base DN that match certain criteria.

Example 1: Select all users under the Base DN

(objectClass=user)

Example 2: Select all users that are member of group CN=DMMusers

(memberOf=CN=DMMusers,CN=Users,DC=MYCOMPANY,DC=COM)

Note that this will automatically select only objects of class user, but will generate warnings for non-user objects (e.g. group objects). To avoid those warnings, create a filter that combines the above example with the one in example 1, with a logical AND:

(&(objectClass=user)(memberOf=CN=Engineering,CN=Users,DC=MYCOMPANY,DC=COM))

I.e. select all objects that are of class 'user' AND have the attribute memberOf with a value of CN=Engineering...

Example 3: Select all users that are member of CN=Sales or CN=Engineering

Similarly to the AND construct above, we can use the | symbol to construct a logical OR of two (or more) filters: (|(filter1)(filter2)).

(|(memberOf=CN=Sales,CN=Users,DC=MYCOMPANY,DC=COM)(memberOf=CN=Engineering,CN=Users,DC=MYCOMPANY,DC=COM))

Example 4: Select all users that are member of a Group or its subgroups

Assume you have a group CN=Employees, which has multiple other groups as members: CN=Sales and CN=Engineering, possibly multiple levels deep.

Problem: all users are a member of one or more subgroups, not of Employees directly, so we cannot simply filter for memberOf=CN=Employees.

Constructing a filter as in example 3 would be cumbersome and difficult to maintain.

The solution is to use the following special construct that searches for all users in the given group and all of its subgroups (and subgroups of the subgroups, etc.):

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Employees,CN=Users,DC=MYCOMPANY,DC=COM))

Links

A good reference for the filter syntax is available from Microsoft at http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

When testing and trying to find the right filter, you may have to  repeatedly create, test and delete your filter. It may be easier to  use an LDAP browser like the one at http://www.ldapadministrator.com/download.htm. This will connect to your LDAP server and offers  a search feature where you can enter the Base DN and Filter in the same syntax as in DMM (Note: the download page offers both the free Browser tool and the trial version of Administrator - the Browser tool is sufficient to test your filters).

Comments
panayiotiscy
Level 4
Level 4

Very useful guide.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: