Discussion:
LDAP query result sorting -> Change the order of AD DCs found in the list
(too old to reply)
Nick Dakoronias
2007-07-12 13:48:06 UTC
Permalink
Hello LDAP forum users,

We have a bank customer using an OEM Filenet (Workflow) application
performing LDAP queries in Win2k AD schema to retrieve the list of Domain
Controllers.

The user authentication for the OEM applicaton (FileNet) is actually carried
out via "Process Engine" and an LDAP query similar to:

ldapsearch -h 172.25.50.165 -d1 -b "cn=System,dc=s1p8,dc=bpm" -D
"cn=PEAdmin,cn=Users,dc=s1p8,dc=bpm" -w filenet -s sub

"objectClass=trustedDomain" > ldapsearchClass.txt

My question actualy refers on the sorting/indexing/filtering capabilities of
LDAP query results. The target is to find away to filter/Index/sort these
results, in terms of changing the order of found items (DCs) in the list.
For instance, it would be preferable for the query to give as a result only
domain controllers from the root domain and afterwards from the child. Such
manipulation could prevent failed authentications for registered users due
to -planned or accidental- changes in DC within AD Schema..

According to MSDN technical article at URL >
http://msdn2.microsoft.com/en-us/library/aa366990.aspx , the usage of the
LDAP_SERVER_SORT_OID control within an extended LDAP search function, could
assist in terms of instructing the server to sort the search results (i.e.
list of Domain Controllers) before returning it to the client application.

I assume this control flag should be integrated within OEM application code
by the application vendor, but there is not much information &
documentation about how to do that.

Is there another way to change the order of DCs (Domain Controllers), in
LDAP query results list? How this could be integrated to application
(FileNet) code?

-----------------------------------------------------------------------------------

P.S:

At this point, I can recall some basic index filters in LDAP server, as
listed in RFC 2254 at URL> http://www.rfc-editor.org/rfc/rfc2254.txt such
as: index default eq index cn eq,sub index sn eq,sub,approx
index uidNumber, but I am wondering if they could be used...

Any advise will be much appreciated.

Regards, Nick.
Christian Chateauvieux
2007-07-12 14:00:02 UTC
Permalink
Nick,

if you can modify the command fileNet uses, it should be as easy as
specifying a -o parameter to indicate the attributes to sort on.

(The -o parameter applies to the ldapsearch command provided in IBM
Tivoli Directory Server. This option may vary depending on the vendor of
the LDAP client utilities you use.)

The TDI admin guide details:

-o attr_type
To specify an attribute to use for sort criteria of search results, you
can use the -o (order) parameter. You can use multiple -o parameters to
further define the sort order.
In the following example, the search results are sorted first by surname
(sn), then by given name, with the given name (givenname) being sorted
in reverse (descending) order as specified by the prefixed minus sign ( - ):
-o sn -o -givenname

Thus, the syntax of the sort parameter is as follows:
[-]<attribute name>[:<matching rule OID>]
where v attribute name is the name of the attribute you want to sort by.
- matching rule OID is the optional OID of a matching rule that you want
to use for sorting.
- The minus sign ( - ) indicates that the results must be sorted in
reverse order. Chapter 22. Command line utilities 409
- The criticality is always critical.

The default idsldapsearch operation is not to sort the returned results.
This option sends the Sorted search results control. See "Sorted search
results control" in the IBM Tivoli Directory Server C-Client SDK
Programming Reference.

Hope this helps,

Christian
Post by Nick Dakoronias
Hello LDAP forum users,
We have a bank customer using an OEM Filenet (Workflow) application
performing LDAP queries in Win2k AD schema to retrieve the list of Domain
Controllers.
The user authentication for the OEM applicaton (FileNet) is actually carried
ldapsearch -h 172.25.50.165 -d1 -b "cn=System,dc=s1p8,dc=bpm" -D
"cn=PEAdmin,cn=Users,dc=s1p8,dc=bpm" -w filenet -s sub
"objectClass=trustedDomain" > ldapsearchClass.txt
My question actualy refers on the sorting/indexing/filtering capabilities of
LDAP query results. The target is to find away to filter/Index/sort these
results, in terms of changing the order of found items (DCs) in the list.
For instance, it would be preferable for the query to give as a result only
domain controllers from the root domain and afterwards from the child. Such
manipulation could prevent failed authentications for registered users due
to -planned or accidental- changes in DC within AD Schema..
According to MSDN technical article at URL >
http://msdn2.microsoft.com/en-us/library/aa366990.aspx , the usage of the
LDAP_SERVER_SORT_OID control within an extended LDAP search function, could
assist in terms of instructing the server to sort the search results (i.e.
list of Domain Controllers) before returning it to the client application.
I assume this control flag should be integrated within OEM application code
by the application vendor, but there is not much information &
documentation about how to do that.
Is there another way to change the order of DCs (Domain Controllers), in
LDAP query results list? How this could be integrated to application
(FileNet) code?
-----------------------------------------------------------------------------------
At this point, I can recall some basic index filters in LDAP server, as
listed in RFC 2254 at URL> http://www.rfc-editor.org/rfc/rfc2254.txt such
as: index default eq index cn eq,sub index sn eq,sub,approx
index uidNumber, but I am wondering if they could be used...
Any advise will be much appreciated.
Regards, Nick.
Nick Dakoronias
2007-07-18 13:44:08 UTC
Permalink
Dear Christian,

At first many thanks for your response.

Fyi, as root of the problem has been identified a software defect in the
authentication

mechanism of Process Engine component of FileNet OEM application.

As you may realize, your advise will assist us to overcome the Process
Engine

problem with user authentication failure, if the first DC in the list is
unavailable (down).

The outcome of our discussions with FileNet & application developers is to
find a way to

"integrate" a command or script to the codestream that will edit/change the
order of

Domain Controllers (DCs) in LDAP query result list.

So, as per you advise, it is just required to install the LDAP client of TDS
server and

try the ldapsearch command you mentioned?

Could you pls also advise about the proper LDAP seacrch command/filter for
DCs

sorting, since my knowledge about TDS is more theoritical ratther than
practical?



My appreciation in advance for your effort & support.

Regards, Nick.
Post by Christian Chateauvieux
Nick,
if you can modify the command fileNet uses, it should be as easy as
specifying a -o parameter to indicate the attributes to sort on.
(The -o parameter applies to the ldapsearch command provided in IBM Tivoli
Directory Server. This option may vary depending on the vendor of the LDAP
client utilities you use.)
-o attr_type
To specify an attribute to use for sort criteria of search results, you
can use the -o (order) parameter. You can use multiple -o parameters to
further define the sort order.
In the following example, the search results are sorted first by surname
(sn), then by given name, with the given name (givenname) being sorted in
-o sn -o -givenname
[-]<attribute name>[:<matching rule OID>]
where v attribute name is the name of the attribute you want to sort by. -
matching rule OID is the optional OID of a matching rule that you want to
use for sorting.
- The minus sign ( - ) indicates that the results must be sorted in
reverse order. Chapter 22. Command line utilities 409
- The criticality is always critical.
The default idsldapsearch operation is not to sort the returned results.
This option sends the Sorted search results control. See "Sorted search
results control" in the IBM Tivoli Directory Server C-Client SDK
Programming Reference.
Hope this helps,
Christian
Post by Nick Dakoronias
Hello LDAP forum users,
We have a bank customer using an OEM Filenet (Workflow) application
performing LDAP queries in Win2k AD schema to retrieve the list of
Domain Controllers.
The user authentication for the OEM applicaton (FileNet) is actually
ldapsearch -h 172.25.50.165 -d1 -b "cn=System,dc=s1p8,dc=bpm" -D
"cn=PEAdmin,cn=Users,dc=s1p8,dc=bpm" -w filenet -s sub
"objectClass=trustedDomain" > ldapsearchClass.txt
My question actualy refers on the sorting/indexing/filtering capabilities
of LDAP query results. The target is to find away to filter/Index/sort
these results, in terms of changing the order of found items (DCs) in the
list. For instance, it would be preferable for the query to give as a
result only domain controllers from the root domain and afterwards from
the child. Such manipulation could prevent failed authentications for
registered users due to -planned or accidental- changes in DC within AD
Schema..
According to MSDN technical article at URL >
http://msdn2.microsoft.com/en-us/library/aa366990.aspx , the usage of
the LDAP_SERVER_SORT_OID control within an extended LDAP search function,
could assist in terms of instructing the server to sort the search
results (i.e. list of Domain Controllers) before returning it to the
client application.
I assume this control flag should be integrated within OEM application
code by the application vendor, but there is not much information &
documentation about how to do that.
Is there another way to change the order of DCs (Domain Controllers), in
LDAP query results list? How this could be integrated to application
(FileNet) code?
-----------------------------------------------------------------------------------
At this point, I can recall some basic index filters in LDAP server, as
listed in RFC 2254 at URL> http://www.rfc-editor.org/rfc/rfc2254.txt
such as: index default eq index cn eq,sub index sn eq,sub,approx
index uidNumber, but I am wondering if they could be used...
Any advise will be much appreciated.
Regards, Nick.
Christian Chateauvieux
2007-07-19 17:50:16 UTC
Permalink
Nick,

You probably don't have to install the TDS client utilities - the
ldapsearch command you have, may already support a sorting option. Check
the documentation of the ldapsearch utility you are using.
If this fails, then yes, you could install the TDS client utilies.

When it comes to finding the DCs... I don't know. This question is to be
asked to Active Directory specialists. I would think that you need to
perform a search on the rootDSE of your AD LDAP server. The rootDSE is
retrieved when searching the 'null' base:

ldapsearch -h <IP_ADRESS_OR_DNS_NAME> -b '' -s base '(objectclass=*)'

Out of this, there might be an attribute that contains the list of
running DCs, which you could use?

Normally, in a sane directory infrastructure, you should have LDAP
proxies to perform failover to running LDAP servers. Is your customer's
directory environment highly available?

Best regards,

Christian
Post by Nick Dakoronias
Dear Christian,
At first many thanks for your response.
Fyi, as root of the problem has been identified a software defect in the
authentication
mechanism of Process Engine component of FileNet OEM application.
As you may realize, your advise will assist us to overcome the Process
Engine
problem with user authentication failure, if the first DC in the list is
unavailable (down).
The outcome of our discussions with FileNet & application developers is to
find a way to
"integrate" a command or script to the codestream that will edit/change the
order of
Domain Controllers (DCs) in LDAP query result list.
So, as per you advise, it is just required to install the LDAP client of TDS
server and
try the ldapsearch command you mentioned?
Could you pls also advise about the proper LDAP seacrch command/filter for
DCs
sorting, since my knowledge about TDS is more theoritical ratther than
practical?
My appreciation in advance for your effort & support.
Regards, Nick.
Post by Christian Chateauvieux
Nick,
if you can modify the command fileNet uses, it should be as easy as
specifying a -o parameter to indicate the attributes to sort on.
(The -o parameter applies to the ldapsearch command provided in IBM Tivoli
Directory Server. This option may vary depending on the vendor of the LDAP
client utilities you use.)
-o attr_type
To specify an attribute to use for sort criteria of search results, you
can use the -o (order) parameter. You can use multiple -o parameters to
further define the sort order.
In the following example, the search results are sorted first by surname
(sn), then by given name, with the given name (givenname) being sorted in
-o sn -o -givenname
[-]<attribute name>[:<matching rule OID>]
where v attribute name is the name of the attribute you want to sort by. -
matching rule OID is the optional OID of a matching rule that you want to
use for sorting.
- The minus sign ( - ) indicates that the results must be sorted in
reverse order. Chapter 22. Command line utilities 409
- The criticality is always critical.
The default idsldapsearch operation is not to sort the returned results.
This option sends the Sorted search results control. See "Sorted search
results control" in the IBM Tivoli Directory Server C-Client SDK
Programming Reference.
Hope this helps,
Christian
Post by Nick Dakoronias
Hello LDAP forum users,
We have a bank customer using an OEM Filenet (Workflow) application
performing LDAP queries in Win2k AD schema to retrieve the list of
Domain Controllers.
The user authentication for the OEM applicaton (FileNet) is actually
ldapsearch -h 172.25.50.165 -d1 -b "cn=System,dc=s1p8,dc=bpm" -D
"cn=PEAdmin,cn=Users,dc=s1p8,dc=bpm" -w filenet -s sub
"objectClass=trustedDomain" > ldapsearchClass.txt
My question actualy refers on the sorting/indexing/filtering capabilities
of LDAP query results. The target is to find away to filter/Index/sort
these results, in terms of changing the order of found items (DCs) in the
list. For instance, it would be preferable for the query to give as a
result only domain controllers from the root domain and afterwards from
the child. Such manipulation could prevent failed authentications for
registered users due to -planned or accidental- changes in DC within AD
Schema..
According to MSDN technical article at URL >
http://msdn2.microsoft.com/en-us/library/aa366990.aspx , the usage of
the LDAP_SERVER_SORT_OID control within an extended LDAP search function,
could assist in terms of instructing the server to sort the search
results (i.e. list of Domain Controllers) before returning it to the
client application.
I assume this control flag should be integrated within OEM application
code by the application vendor, but there is not much information &
documentation about how to do that.
Is there another way to change the order of DCs (Domain Controllers), in
LDAP query results list? How this could be integrated to application
(FileNet) code?
-----------------------------------------------------------------------------------
At this point, I can recall some basic index filters in LDAP server, as
listed in RFC 2254 at URL> http://www.rfc-editor.org/rfc/rfc2254.txt
such as: index default eq index cn eq,sub index sn eq,sub,approx
index uidNumber, but I am wondering if they could be used...
Any advise will be much appreciated.
Regards, Nick.
Loading...