Adaxes

LDAP Filter (managedBy=%secretary%)

0 votes

Hello,

we have started using Softerra Adaxes to allow key users to manage some aspects of active directory. For one task we have created an ldap filter:

(managedBy=%secretary%)

The system should only show OUs where the value of "managedBy" of the OU matches the value of the "secretary" attribute of the logged on user. This works fine as long as "secretary" only holds one value. If we add a second value to the "secretary" attribute of our test user the ldap filter will only return those OUs where the "managedBy" matches the first value in the "secretary" list.

Is there some other operator that we could use in this ldap filter? Something like "included in" instead of "="?

In essence this would be what we need: (managedBy included in %secretary%)

Any help is greatly appreciated.

Regards

HarryNew

by (270 points)
0

Hello Harry,

Is there some other operator that we could use in this ldap filter? Something like "included in" instead of "="?

There is no such possibility. Could you specify, what exactly should the Home Page Action do, so that we can suggest a solution to meet your needs?

by (289k points)
0

Hello Support2,

thank you for your answer! I was afraid this would not be possible... I have googled quite a bit and also posted a similar question on technet.

We have a button on the web interface that will allow key users to create a new group by copying an existing one. The interface will eventually be used by up two 200 different groups of key users, each group being from a different department. The key-user-groups will create their groups in the OUs that they are responsible for.

The problem comes up when we specify the target OU where the group is to be created. Each key user group should only see the OUs that they are responsible for. Often they are only responsible for one OU, sometimes they are responsible for two or more OUs. Since there is no general naming scheme that we can use and since the users are not in the OUs that they are responsible for, we have been struggling to find a way to show just the correct OUs. One idea that we had was to place a common string into the managedby property of the OU (something that we are doing anyway for other reasons) and into the secretary attribute of the key users. Then we could apply an LDAP filter

(managedBy=%secretary%)

on the target OU page for the button in order to only show OUs that have a matching string. This works like a charm as long as the key user is only responsible for one OU. If he is responsible for a second OU then we would have two values in the multivalued field "secretary" and the filter seems to only match the first value against the value in managedBy.

Do you have any other ideas?

Regards
HarryNew

by (270 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello Harry,

Actually yes, we do. It is possible to create a script that builds a LDAP filter containing GUIDs of all secretaries of a user and saves it to a certain property of the user account. For example, it can be one of Adaxes custom attributes, e.g. CustomAttributeText1. Then, with the help of the script, you can create a Business Rule to adjust the filter when the Secretary property is modified and a Scheduled Task to adjust the filter for all users on a periodical basis. A task is needed for the cases when someone changes the Secretary property outside of Adaxes,for example.

Then, you can use a value reference for the attribute In the configuration of your Home Page Action to filter the OUs displayed.

If such a solution is OK with you, we will provide you the necessary script and instructions how to accomplish the task.

0

Hello Support,

that sounds very interesting and promising! Unfortunately, since we are fairly new to Adaxes, I can't exactly follow you yet. It would be really helpful if you could post the script and some more information on how the constructed ldap filter would be used on the target page of the home page action.

Thank you very much for your help!

Regards
HarryNew

by (270 points)
0

Hello Harry,

To accomplish the task, you need to:

  • Create Custom Command that runs the necessary script for a user account
  • Create Business Rule that runs the Custom Command after updating the Secretary attribute of a user
  • Create Scheduled Task that runs the Custom Command on a periodical basis
  • Add a value reference for the attribute where the script saves the LDAP filter to your Home Page Action configuration.

i. Create Custom Command that runs the necessary script for a user account

First, you need to create a Custom Command that runs the script. Then, you can execute the command using Business Rules, Scheduled Tasks and other Custom Commands. Thus, a command is a good way to have the script in one place only in case if you need to change something in it in the future.

To create the command:

  1. Create a new Custom Command.
  2. Since, most probably, you are not going to execute the command manually, you may want to clear the Enabled option on Step 1. This will create the Custom Command in disabled state. Disabled commands are not visible anywhere in Adaxes UI, but can be used in Business Rules, Scheduled Tasks and other Custom Commands.
  3. On Step 2, select the User object type.
  4. On Step 3, add the Run a program or Powershell script action and paste the following script from our script repository: http://www.adaxes.com/script-repository ... s-s488.htm.
  5. In the script, $propertyForLDAPFilter specifies the name of the attribute that will be used to store the LDAP filter in each user account. We suggest using one of Adaxes custom attributes, e.g. CustomAttributeText1. Such attributes are virtual. They are not stored in AD, but can be used the same as any other attributes of AD objects.
  6. Enter a short description and click OK.
  7. Click Next, then click Finish.

ii. Create Business Rule that runs the Custom Command after updating the Secretary attribute

Now, you need to create a Business Rule that automatically updates the filter once the Secretary attribute is updated. To do this:

  1. Create a new Business Rule.
  2. On Step 2 of the Create Business Rule Wizard, select User and After Updating a User.
  3. On Step 3, add the Execute a Custom Command action.
  4. Click Select and select the Custom Command you created on step i.
  5. When done, click OK 2 times, then click Next
  6. On the final step, add All Objects to the Activity Scope of the rule.
  7. Click Finish.

iii. Create Scheduled Task that runs the Custom Command on a periodical basis

Also, you need to create a Scheduled Task that updates the filters on a periodical basis to keep them in line with changes in AD. To do this:

  1. Create a new Scheduled Task.
  2. On Step 3 of the Create Scheduled Task Wizard, select User.
  3. On Step 4, add the Execute a Custom Command action.
  4. Click Select and select the Custom Command you created on step i.
  5. When done, click OK 2 times, then click Next
  6. On the final step, add All Objects to the Activity Scope of the task.
  7. Click Finish.

iv. Add a value reference for the attribute where the script saves the LDAP filter to your Home Page Action configuration.

Now, to use the filters in your Home Page action, you need to type a value reference for the attribute you used in $propertyForLDAPFilter (step i.5) as the filter value for selecting Organizational Units in your Home Page Action configuration.

Before testing, run the Scheduled Task at least once and wait until it completes.

by (216k points)

Related questions

0 votes
1 answer
Business Unit LDAP Query of ManagedBy when ManagedBy is a group

I'm trying to setup SelfService group management. We have multiple Forests. Because of the Forests we can't add users from a different forest to the ManagedBy. We can add a local ... end up getting all the groups a user is a memberof or nothing at all. :)

asked Jun 23, 2021 by ComputerHabit (790 points)
0 votes
1 answer
LDAP filter for web interface - user

What I'm trying to accomplish: user should have access to modify certain accounts where customTextAttribute2="test" (example). When I modify the criteria under "object selection" ... to query custom attributes or do you have to use AD attributes for this?

asked Mar 19 by tromanko (330 points)
0 votes
1 answer
How do I use attribute for LDAP filter? String is getting erroneously escaped.

Hi, I recently upgraded Adaxes from 2021.1 to 2023.2, and after the upgrade, an LDAP filter for retrieving the groups a user is owner of, stopped working. The reason ... attribute instead, like this: It works, but sadly it is quite slow. Best regards Martin

asked Aug 21, 2023 by Martin (150 points)
0 votes
1 answer
LDAP Filter ADM parameter

I've created an interface to edit adm-CustomAttributeText19 when it's empty. I set in the configuration page this filter "Only allow selection of AD objects that match the LDAP ... I open the interface, even if the field is filled. What am I doing wrong?

asked Jan 30, 2023 by Simone.Vailati (430 points)
0 votes
1 answer
Create an LDAP filter for Parent OU Name

I'm trying to create a new command that can apply to User objects across multiple domains that are in OUs with the same 'Name' i.e. an OU called Directors that occurs in ... t seem to make it work with just contains 'OU Name' i.e. (distinguishedname=OU Name)

asked Jan 21, 2020 by richarddewis (260 points)
3,552 questions
3,242 answers
8,243 comments
547,828 users