Building an LDAP query

Use an LDAP query to add LDAP users and groups to IBM® Cognos® TM1®.

Before you begin

An LDAP query consists of the following major elements:
  • Search DN - An LDAP directory is organized as a tree structure, with a root node and a number of branches off this root. The Search DN specifies at which node the search originates. Entries greater than this level in the tree are searched. You must specify the correct base DN to obtain the results you want.
  • Filter - A query string that filters the entries in the LDAP directory and generates the matching records. You can create complex filters by using a combination of the following symbols:

    & (AND)

    | (OR)

    ! (NOT)

    * wildcard character

    ( ) parentheses for nesting

    For instructions on building LDAP filter strings, refer to LDAP books and online resources, including the LDAP standard, RFC 2254, The String Representation of LDAP Search Filters.

  • Scope - While the Search DN specifies the starting point of the search, the Scope attribute indicate the level of depth to which the search occurs. There are two Scope levels:

    One Level - Specifies that LDAP search all entries one level less than the base DN, but does not include the base DN itself.

    Sub-Tree Level - Indicates that LDAP search all records at all levels including the base DN.

    The following diagram illustrates the effect that the Scope setting has on a search.

    One-level search of o: Application includes the two items from one level less than the base DN - ou: People and ou: Groups
  • Attributes - Describe every LDAP entry and their values. Includes a comma-separated list of values to return for the records that match the filter string. There are two LDAP attributes:

    User attribute - You add this attribute to the LDAP directory. For example, cn or mail.

    Operational attribute - The LDAP server creates and maintains this attribute. For example, numSubordinates.

    The attributes for an entry could include:

    Present with no value

    Present with one or more values

    Not present. If an attribute is optional, the attribute may not exist for an entry.

    Note: Be sure to request only the attributes you need. If you request all attributes, a large result set can significantly increase processing time on the LDAP server and memory requirements on both the server and the client.

Procedure

  1. Specify the Search DN, Filter String, Attributes, and Scope for your query.
  2. Click Search.

    You see a list of entries in the table, unless there are syntax errors or if the filter string does not match any records in the directory.

  3. Examine the result set.
    • Does it include names that you do not want to see?
    • Are important entries missing?
    • Do you need to build multiple queries to capture the list of records you are interested in?
  4. Make your changes to the filter string.
  5. Click Search.
  6. Examine the result set.
  7. Repeat steps 3 through 6 until you have a list of valuable records.
  8. Click File, Save As to save your LDAP query as a text file.
    Note: You can use the saved LDAP query at a later time. To do so, click File > Open in the LDAP Load Tool dialog box. ETLDAP fills in the DN, Filter String, Attributes, and Scope for your LDAP query.