Creating LDAP queries using Directory manager [Web console]

In addition to the ability to query the core database with database queries, you can also use the Directory manager tool to locate, access, and target devices in other directories via LDAP (the Lightweight Directory Access Protocol).

You can query devices based on specific attributes such as processor type or OS. You can also query based on specific user attributes such as employee ID or department.

Adding an LDAP directory

To manage an LDAP directory, you need to add it to the Directory manager list. To do so, you'll need to know the location of the directory on your network and a set of credentials to access the directory.

To add an LDAP directory to Directory manager
  1. In the Web console toolbox, click Distribution > Directory manager.
  2. Click the New directory button on the toolbar.
  3. Type the URL to access the directory. You don't need to type the initial "LDAP://" in the URL.
  4. Type a user name and password to access the directory.
  5. Click OK.

The directory is listed with a tree icon in the Directory manager tool pane. You can also select the directory and click the Edit button on the toolbar to view its properties.

Viewing LDAP directories

When you have added at least one directory, you can view items in the directory in the Directory manager tree view, which displays all registered directories and users.

There are two tabs in the action pane, LDAP target list and LDAP queries. Click these to view LDAP objects that you have targeted and LDAP queries you have defined.

Targeting LDAP objects

You can select objects in the Directory manager tree and target them. The devices contained in those LDAP objects can be selected as targets for an action you want to apply to them, such as software distribution or patch and compliance scans.

To target LDAP objects
  1. In the Web console toolbox, click Distribution > Directory manager.
  2. Browse the Directory manager tree and select an object in the LDAP directory.
  3. Select one or more items in the Directory resources list and click the LDAP targets button on the toolbar.
  4. Select the tool you want to apply to the targeted devices. The items you've targeted are displayed in the Target list option for the tool.

Creating LDAP directory queries

You can create a query that returns results for a directory object, such as a root organization (o), domain component (dc), or organizational unit (ou).

To create an LDAP query
  1. In the Web console toolbox, click Distribution > Directory manager.
  2. Browse the Directory manager tree and select an object in the LDAP directory. The query that you're creating will return results from this point in the tree down.
  3. Click the New LDAP query toolbar button.
  4. Type a descriptive name for the query.
  5. Select an LDAP attribute that will be a criterion for the query.
  6. Click a comparison operator for the query (=,<=, >=) and a value for the attribute. If you select Contains or Exists, no value is needed.
  7. If the query is complex, select AND or OR to join the statement to the next statement.
  8. Click Insert to add the statement.
  9. Create additional statements by repeating steps 5-8.
  10. To negate a statement, select it and click NOT. To delete a statement, select it and click Delete.
  11. When the query is complete, click Test to check that the query returns results.
  12. If you want to edit the query and use freeform LDAP syntax, click Advanced. The query opens in an editing window that lets you use any syntax options.
  13. When you've finished, click Save. The saved query will appear on the LDAP queries tab in the action pane of Directory manager.

About the Advanced LDAP query dialog

From the Basic LDAP query dialog box, click Advanced to open the Advanced LDAP query dialog box. The Advanced LDAP query dialog box also opens when you edit a query that has already been created.

  • Name: The name of the LDAP query. Edit the name to create a copy of an existing query.
  • LDAP query root: Displays the root object in the directory for this query. The query that you're creating will return results from this point in the tree down.
  • LDAP query: Create an LDAP query in a freeform manner.
  • Test: Click to execute a test of the query you have created.

More about the Lightweight Directory Access Protocol (LDAP)

Lightweight Directory Access Protocol (LDAP) is an industry standard protocol for accessing and viewing information about users and devices. LDAP enables you to organize and store this information into a directory. An LDAP directory is dynamic in that it can be updated as necessary, and it is distributed, protecting it from a single point of failure.

The following examples show LDAP queries that can be used to search the directory:

  • Get all entries: (objectClass=*)
  • Get entries containing 'bob' somewhere in the common name: (cn=*bob*)
  • Get entries with a common name greater than or equal to 'bob': (cn>='bob')
  • Get all users with an e-mail attribute: (&(objectClass=user (email=*)
  • Get all user entries with an e-mail attribute and a surname equal to 'smith': (&(sn=smith (objectClass=user (email=*)
  • Get all user entries with a common name that starts with 'andy', 'steve', or 'margaret': (&(objectClass=User (| (cn=andy* (cn=steve* (cn=margaret*)
  • Get all entries without an e-mail attribute: (!(email=*)

The formal definition of the search filter is as follows (from RFC 1960):

  • <filter> ::= '(' <filtercomp> ')'
  • <filtercomp> ::= <and> | <or> | <not> | <item>
  • <and> ::= '&' <filterlist>
  • <or> ::= '|' <filterlist>
  • <not> ::= '!' <filter>
  • <filterlist> ::= <filter> | <filter> <filterlist>
  • <item> ::= <simple> | <present> | <substring>
  • <simple> ::= <attr> <filtertype> <value>
  • <filtertype> ::= <equal> | <approx> | <ge> | <le>
  • <equal> ::= '='
  • <approx> ::= '~='
  • <ge> ::= '>='
  • <le> ::= '<='
  • <present> ::= <attr> '=*'
  • <substring> ::= <attr> '=' <initial> <any> <final>
  • <initial> ::= NULL | <value>
  • <any> ::= '*' <starval>
  • <starval> ::= NULL | <value> '*' <starval>
  • <final> ::= NULL | <value>

The token <attr> is a string representing an AttributeType. The token <value> is a string representing an AttributeValue whose format is defined by the underlying directory service.

If a <value> must contain one of the characters * or ( or ), precede the character with the slash (\) escape character.