Skip to main content

LDAP Search Query

The LDAP Search Query uses one or more user attributes to define a subset of the LDAP search base directory; and only the users in this subset are synchronized with Code Insight. Best practice is to create a DIT object in the search base directory, such as a group, that is specific to Code Insight and then make all Code Insight users a part of that object.

info

Code Insight requires that all users have a valid email address. Even if users meet all the criteria of the LDAP search query, only those users with a valid email address specified as a user attribute on the LDAP server will be synchronized. Consequently, ensure that all Code Insight users have their email address assigned to this attribute on the server and that, on the LDAP tab, you have designated the correct label for the attribute as defined on the server (see the “Email” field description in LDAP Tab Field Descriptions).

The following topics describe more about defining the user search query:

Sample Search Query

LDAP search query is entered in the LDAP Search Query field on the LDAP tab. This query is used to search the LDAP Search Base directory on the LDAP server to retrieve only those users that you want to synchronize to Code Insight. Each attribute in a query is listed in parenthesis in the format (``attribute``=``value``).

For example, based on the sample DIT described in the previous section, suppose all (and only) Code Insight users belong to the “usa” organizational unit. The LDAP Search Base node should then be set to usa; and the following query can be used for LDAP Search Query to retrieve and synchronize users (entities with the object class of “person”) to Code Insight:

(objectClass=person)

However, suppose that Code Insight users are only those users belonging to the “engineering” group under the “usa” node. The following query can then be used to retrieve and synchronize the appropriate users to Code Insight:

(&(objectClass=person)(memberOf=CN=engg,OU=usa,DC=acme,DC=com))

Although objectClass and memberOf are the most commonly used filters, a query can filter objects by other attributes, such as “department” in the following example:

(&(objectClass=person)(department=acme USA))

The Search Sub-tree option on the LDAP tab controls whether to enable deep searches through subtrees of the path defined by LDAP Base + LDAP Search Base. While helpful in locating users in certain cases, a deep search can negatively affect performance (and therefore, by default, is not enabled).

Subtree examples in the DIT in Figure 3-1 are the organizational units “usa” and “europe” belonging to DC=acme,DC=com. Suppose that the “usa” subtree also has a subtree called “California” (not shown in the example), which contains users. If the LDAP Base is DC=acme,DC=com and the LDAP Search Base is usa, the following would occur when a query is executed, depending on the status of the Search Sub-tree option:

  • If the option is enabled, the query searches for users in both the sub-tree “usa” (the search base) and its subtree “California”.

  • If the option is disabled, the query searches for users in “usa” but not in its subtree “California”.

If a synchronization was previously run with the Search Sub-tree option enabled and is then run again with the option disabled, any users previously synchronized from subtrees under the base are assigned a “disabled” status. For example, suppose user “Monty Burns” belongs to “usa” (the search base) and “Karen Smith” belongs to “California” (a sub-tree of the base). When a synchronization is run with Search Sub-tree enabled, both “Monty Burns” and “Karen Smith” are synchronized and are active. However, if the option is then disabled and another synchronization is run, both users are synchronized but only “Marty Burns” remains active; “Karen Smith” is flagged as “disabled”.

Users who are not LDAP users are not affected by this option. See also Disabled Users.

Server Paging

LDAP and Active Directory support server paging controls the number of records the system is pulling at any given time. Configure the LDAP Page Size entries as desired. The default page size is 1000.

note

SunOne Directory Server does not support server paging in certain releases http://kb.globalscape.com/KnowledgebaseArticle10218.aspx. If you are using SunOne Directory Server, ensure that server paging is disabled.