Discussion:
nested LDAP search filter
(too old to reply)
m***@poczta.fm
2018-01-22 12:14:25 UTC
Permalink
Hi

In ISIM is relationship between People and OrgChart
people.erparent = orgChart.dn

I have in LDAP that object

People.name = name1
People.erparent = erglobalid=1111111111111111111,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com


People.name = name2
People.erparent = erglobalid=2222222222222222222,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com

People.name = name3
People.erparent = erglobalid=3333333333333333333,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com


People.name = name4
People.erparent = orgchart3

OrgChart.dn = erglobalid=1111111111111111111,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com
OrgChart.l = loc1

OrgChart.dn = erglobalid=2222222222222222222,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com
OrgChart.l = loc2

OrgChart.dn = erglobalid=3333333333333333333,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com
OrgChart.l = loc3

I need build search filter that return all people from loc1 and loc2

Is simple when i use OrgChart.dn

(&(erparent=erglobalid=1111111111111111111,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com)(erparent=erglobalid=2222222222222222222,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com))

It is working fine but when i need mowe this filter to anoter ISIM I must change all erglobalid.

I need better filter which return all people by OrgChart.l attribute.

somthing like this

(&(erparent = dn in ( (&(l=loc1)(l=loc2)) ) ))

Do you know how do this?

P.S. I know "in" operator not exist in LDAP.
Franzw
2018-01-25 21:45:18 UTC
Permalink
Post by m***@poczta.fm
Hi
In ISIM is relationship between People and OrgChart
people.erparent = orgChart.dn
I have in LDAP that object
People.name = name1
People.erparent = erglobalid=1111111111111111111,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com
People.name = name2
People.erparent = erglobalid=2222222222222222222,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com
People.name = name3
People.erparent = erglobalid=3333333333333333333,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com
People.name = name4
People.erparent = orgchart3
OrgChart.dn = erglobalid=1111111111111111111,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com
OrgChart.l = loc1
OrgChart.dn = erglobalid=2222222222222222222,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com
OrgChart.l = loc2
OrgChart.dn = erglobalid=3333333333333333333,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com
OrgChart.l = loc3
I need build search filter that return all people from loc1 and loc2
Is simple when i use OrgChart.dn
(&(erparent=erglobalid=1111111111111111111,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com)(erparent=erglobalid=2222222222222222222,ou=orgChart,erglobalid=00000000000000000000,ou=itelli,dc=com))
It is working fine but when i need mowe this filter to anoter ISIM I must change all erglobalid.
I need better filter which return all people by OrgChart.l attribute.
somthing like this
(&(erparent = dn in ( (&(l=loc1)(l=loc2)) ) ))
Do you know how do this?
P.S. I know "in" operator not exist in LDAP.
This is not an ISIM nor generic ldap forum - this kind of question is better asked here : https://www.ibm.com/developerworks/community/forums/html/forum?id=11111111-0000-0000-0000-000000000259&ps=25

But let me give you answer anyhow - you cannot do this - ldap is not like SQL and does not work with relations that way.

As you probably already know you can use relationship expressions in ISIM as documented here : https://www.ibm.com/support/knowledgecenter/en/SSRMWJ_7.0.1.8/com.ibm.isim.doc/configuring/ref/ref_ic_lifecycle_relation_expressions.htm but as you can see from there they can only be used on the left side - not the right side as in your request - this will require 2 chained ldap searches.

A working solution is to use the erparent directly with erglobalid values - this is ugly, but will work as long as you do not change the erglobalids.

A much better solution is to add the organizational tree placement as a string in an attribute on the person in ISIM e.g. :

ou: 123/888/234

where 123 is the root org, 888 second level and finally 234 the ou in which the user is placed.

This also makes a separation of the internal ISIM ou tree from the business org tree which is desirable and makes org management much much easier.

As a historic remark this was what basically was introduces as "best practice" in ITIM 4.6 as a change from the old (and still widely used with all the problems you are only scratching the surface off) ITIM 4.5 way.

This is btw no different from e.g. Windows AD design.

HTH
Regards
Franz Wolfhagen

Loading...