You are not logged in.
We would like to use AND logic in the LDAP filter in the sso/ldap.cf file.
eg
(&(objectclass=user)(samacccountname=*))
However if we do this then ReportServer cannot parse the file and we have no ldap configuration at all.
Is ReportServer able to use AND filters?
Perhaps there is a way to escape the ampersand?
thank you in advance
Offline
Hi ReportEnabler,
you can escape the & character with &, so you can enter:
(&(objectclass=user)(samacccountname=*))
can you pls confirm? we will update our documentation to make this clear.
Regards,
Eduardo
Offline
This post is intended to be a record in case it helps anyone else:
We had to overcome several challenges when querying our AD.
1. We have lots of objects in AD and were getting an error:
javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'DC=xxx,DC=xxx'
Note: We couldn't reduce the tree using a tighter base because of our structure in AD.
Solution 1: trim down the retrieved objects using filter (see problem #2)
Solution 2: we considered, but in the end didn't need, expanding the maxsize returned by our AD DC
2. Due to our AD object hierarchy we wanted to use the ldap AND filter,
Normally the ldap AND filter would be (& (clause-1)(clause-2)...(clause-n))
However when we tried this it caused the sso/ldap.cf file to fail to be parsed (silently)
which we proved using Terminal command: config echo sso/ldap.cf provider.host
and getting an error (null) result.
Solution (Thanks Eduardo): escape the ampersand
ie (& (clause-1)(clause-2)...(clause-n))
3. We were getting com.sun.jndi.ldap.LdapReferralException: Continuation Reference
Solution: change from port 389 to port 3268
4. Despite a long filter clause, we were still getting non-user objects, and got this error (and other similar errors):
net.datenwerke.rs.ldap.service.ldap.exceptions.LdapException: Failed to retrieve attribute 'sn' from 'redacted dn'
Solution: Add into the filter (sn=*)
5. ldap users still couldn't login
Solution (Thanks Eduardo): search server for a second reportserver.properties file that was taking precedence over the normal one)
and rename it.
AND ensure we use only
rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM
Now the ReportServer seems to be humming along nicely ;-)
Offline
Hi ReportEnabler,
thanks for this detailed information, I am glad it is working now!
Regards,
Eduardo
Offline