Dynamic Group Query Parameters

Groups › Dynamic Group Query Parameters

Dynamic Group Query Parameters

You can use the following dynamic query parameters in the search:

ldap:///<search_base_DN>??<search_scope>?<searchfilter>

<search_base_DN> is the point from where you begin the search in the LDAP directory. If you do not specify the base DN in the query, then the group's organization is the default base DN.
<search_scope> specifies the extent of the search and includes:
- sub -- Returns entries at the base DN level and below
- one -- Returns entries one level below the base DN you specify in the URL. This is the default value.
- base -- Uses one instead, ignoring base as a search option
Using one or base obtains only the users in the Base DN organization.

Using sub obtains all users under the Base DN organization and all sub- organizations in the tree.
<searchfilter> is the filter that you want to apply to entries within the scope of the search. When you enter a search filter, use the standard LDAP query syntax as follows:
(<logical operator ><comparison><comparison...>)
- <logical operator> is one of the following:
  Logical OR: |
  
  Logical AND: &
  
  Logical NOT: !
- <comparison> indicates <attribute><operator><value>
For example:

(&(city=boston)(state=Massachusetts))

The default search filter is (objectclass=*).

Note: When creating a dynamic query, you cannot specify the LDAP server's host name or port number. All searches occur within the Identity Manager LDAP directory that you configured for your Identity Manager environment.

The following are sample LDAP queries:

Description	Query
All users who are managers.	Ldap:///o=MyCorporation??sub?(title=Manger)
All managers in the New York West branch office	ldap:///o=MyCorporation??one?(&(title=Manager) (roomNumber=NYWest))
All technicians with a cell phones	ldap:///o=MyCorporation??one? (&(employeetype=technician) (mobile=*))
All employees whose employee numbers are between 1000 and 2000	ldap:///o=MyCorporation, (& (ou=employee) (employeenumber >=1000) (employeenumber <=2000))
All help desk administrators who have been employed at the company for more than 6 months	ldap:///o=MyCorporation,(& (cn=helpdeskadmin) (DOH => 2004/04/22) Note: This query requires that you create a DOH attribute for the user's date of hire.

Note: The > and < (greater than and less than) comparisons are lexicographic, not arithmetic. For details on their use, see the documentation for your LDAP directory server.

For more information about LDAP search filters, see information on User Directories in the CA SiteMinder Web Access Manager Policy Server Configuration Guide.