Setting up Active Directory user filters
Active Directory (AD) is Microsoft directory service for Windows domain networks that can be synchronized with bpm’online to automate user and user group management. Synchronization is recommended if all or most bpm’online users are also part of a Windows domain network.
Active Directory filters
An AD filter consists of an attribute, an operator and a value:
(<attribute><operator><value>)
Note
Attributes represent properties or characteristics of AD objects (ObjectClass, cn, streetAddress, etc.)
The filter comparison operators are as follows:
= Equal to.
~= Approximately equal to.
<= Less than or equal to.
>= Greater than or equal to.
& All conditions must be met (AND).
| Any of the conditions must be met (OR).
! The clause must evaluate to False (NOT).
Values represent actual values of AD attributes. Values are not case sensitive and should not be included in quotes. The wildcard character "*" is supported, unless the <attribute> is a DN attribute (distinguishedName, manager, memberOf, etc.). For example, the following filter will select all objects where objectClass is filled in:
(objectClass=*).
Standard user filter
The standard filter for obtaining all active users is as follows:
(&(objectClass=user)(objectClass=person)(!objectClass=computer)(!(isDeleted=TRUE)))
In this filter:
& – the “AND” operator, indicating that all filter conditions must be met.
objectClass=user – the clause to select all objects of the “user” objectClass.
objectClass=person – the clause to select all objects of the “person” objectClass.
!objectClass=computer – the clause to exclude all objects of the “computer” objectClass.
!(isDeleted=TRUE) – the clause to exclude all deleted objects.
Standard user group filter
To synchronize Active Directory users with bpm’online organizational structure, set up a filter to obtain user groups. The standard user group filter for all active users is as follows:
(&(objectClass=group)(!userAccountControl:1.2.840.113556.1.4.803:=2))
In this filter:
& – the “AND” operator, indicating that all filter conditions must be met.
objectClass=group – the clause to select all objects of the “group” objectClass.
userAccountControl – user access control flags attribute in the bitwise comparison filter clause.
:1.2.840.113556.1.4.803: – the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule acts like the bitwise AND operator.
2 – decimal value of the ACCOUNTDISABLE flag.
The (!userAccountControl:1.2.840.113556.1.4.803:=2) bitwise comparison filter excludes disabled (inactive) user accounts. For more information, please see the following support.microsoft.com article.
Standard filter for Active directory group users
In addition to user and user group filters, LDAP synchronization requires a filter to select all users that belong to each of the synchronized LDAP groups. The standard filter for getting a list of users in an LDAP group is as follows:
(memberOf=[#LDAPGroupDN#])
In this filter:
memberOf – standard attribute that determines the group of an AD object.
[#LDAPGroupDN#] – a bpm’online macro for obtaining a list of users for a group with a unique DN (Distinguished Name) attribute value.
The macros above can be used to set up LDAP synchronization only in bom’online, as this is not a standard LDAP attribute. The following additional macros can be used in the filters for AD group users:
[#LDAPGroupName#] – the name of the group in the [LDAP group name] field on the LDAP synchronization setup page in bpm’online System Designer.
[#LDAPGroupIdentity#] – unique group Id specified in the [Group Id] on the LDAP synchronization setup page in bpm’online System Designer.
Filter setup
When setting up LDAP synchronization, you can use standard filters or create your own filters for users and groups.
Example
Set up a filter that would differentiate employees with identical first and last names during synchronization with Active Directory.
You will need to make changes to the user synchronization filter. By default, the CN (Common Name) attribute is used for selecting objects. This attribute is required since it is specified the [User name] field in the [User attributes] group on the LDAP integration setup page. For the purpose of this case, the “displayName” attribute (which will be unique for each user) can be used. To differentiate users with identical first and last names, synchronize only users with the “displayName” attribute. To do this:
1.Open the System Designer and click [LDAP integration setup].
2.Add the “(displayName=*)” condition that requires the “displayName” attribute to be filled in to the default filter in the [List of users] field. The filter will look like this:
(displayName=*)(&(objectClass=user)(objectClass=person)(!objectClass=computer)(!(isDeleted=TRUE)))
3.Add the logical AND operator that will make both filter conditions required:
(&(displayName=*)(&(objectClass=user)(objectClass=person)(!objectClass=computer)(!(isDeleted=TRUE))))
4.Replace the standard filter in the [List of users] field with the new filter.
5.Save the LDAP synchronization settings and run the synchronization.
See also