[Deploying Sakai] Filter in jldap directory provider

Martin B. Smith smithmb at ufl.edu
Tue Jan 19 15:12:24 PST 2010 

On 1/19/2010 5:56 PM, Grossman,John E wrote:
> Is there a way to specify an LDAP search filter in the jldap-beans.xml
> without having to modify Java code?
>  
> Our Active Directory tree looks something like this:
> DC=mdanderson,DC=edu
>         OU=People
>                 OU=Archive
>                 OU=Dept01
>                 OU=Dept02
>>                 OU=Dept20
>  
> I need to start searching at OU=People because a current user can be in
> any of the department branches. Unfortunately, the same person sometimes
> shows up in both Archive and DeptX with the same email. For instance
> Jane Jones with user id jjones married and changed her name to Jane
> Smith with user id jsmith but kept her jjones email address. When the
> directory provider code looks up _jjones at mdanderson.edu_
> <mailto:jjones at mdanderson.edu>, it finds her in the archive branch
> before it finds her current record in Dept02 She gets enrolled as jjones
> when she should be enrolled as jsmith.  Jjones is a dead account so she
> can’t log in.
>  
> I’d like for the provider to use a filter like
> (&(_mail__=__jjones at mdanderson.org__)(!(accountExpires=0)))_
> <mailto:mail=jjones at mdanderson.org)(!(accountExpires=0)))> or an
> approach that would eliminate the Archive branch from the search.
>  
> BTW – I know the person could be enrolled correctly by searching on her
> user id jsmith, but instructors often prefer to enter students by email
> address.
>  
> John Grossman
> The University of Texas M. D. Anderson Cancer Center
> john.grossman at mdanderson.org


Hi John,

>From poking around in the jldap-beans.xml file that comes inside
tomcat/components/sakai-provider-pack/WEB-INF/ directory, it looks like
while you can set base path to OU=People,DC=mdanderson,DC=edu, there
isn't a place to add a filter to the search.

What about removing permission to read the "OU=Archive" subtree for the
user you're using in to search AD? Otherwise, I bet it would be trivial
to submit a patch that adds a filter property.

Cheers,
-- 
Martin B. Smith
smithmb at ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida

More information about the production mailing list