How To Use a NOT Operator in an LDAP Search Query
(Doc ID 2467022.1)
Last updated on SEPTEMBER 18, 2023
Applies to:
Oracle WebCenter Content - Version 11.1.1.6.0 and laterInformation in this document applies to any platform.
Goal
Desire user authentication or group membership authorization be based on a user or group that does not have a specified LDAP attribute.
As an example:
In Active Directory a user and a computer can have the same CN.
This is the AD user attributes:
displayName: lurch
loginid: lurch
cn: lurch
groupnameattr: lurch
objectclass: top
objectclass: person
objectclass: user
objectclass: organizationalPerson
This is the computer:
loginid: lurch
cn: lurch
groupnameattr: lurch
objectclass: top
objectclass: person
objectclass: user
objectclass: organizationalPerson
objectclass: computer
The standard User From Name Filter is set as:
(&(cn=%u)(objectclass=user))
- In the WebLogic AD provider, because they have the same CN and the same objectclass=user, if the user and computer are under the User Base DN, both will be listed under myrealm --> Users and Groups because they have the same CN.
- The API used for user authorization may attempt to make the group membership query against the computer and not the user, preventing the actual user from getting their expected roles and accounts.
- However, note that the computer has the objectclass=computer, the user does not have that objectclass.
The LDAP search query can return the user and not the computer by using an LDAP search NOT operator.
The NOT operator is in the syntax:
(!(<attribute>=<value>))
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |