0

I have two kinds of user in our Active Directory: technical user and user user.

With LDAP filter (&(objectclass=person)(uid=%v)) I get for both some results.

But for my application I need a more detailed filter or else there will be no results (checkPassword method of com.ibm.websphere.security.UserRegistry). So I thought of this filter:

(&(|(objectcategory=person)(objectclass=person))(uid=%v))

This works fine for technical users, but for the other I get EntryNotFoundException: CWIML4001E:

Why is that? Shouldn't it at least give me the result of the simple filter? Is it not processing the filter combinations because of the OR?:

    1. uid=%v AND objectclass=person
    2. uid=%v AND objectcategory=person

I also tried the following filter to be on the save side:

(|(&(objectclass=person)(uid=%v))(&(objectcategory=person)(uid=%v)))

But the result is the same.

Some background:

I use Liberty and run the following simple servlet on it for testing:

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
    if (WSSecurityHelper.isServerSecurityEnabled()) {
        String testuser = "myuser";
        String password = "mypassword";

        UserRegistry registry = RegistryHelper.getUserRegistry("LdapRegistry");
        response.getWriter().append("<p>Output: " + registry.getUserSecurityName(testuser) +"</p>");
        response.getWriter().append("<p>Output: " + registry.isValidUser(testuser) +"</p>");
        response.getWriter().append("<p>Output: " + registry.isValidUser(registry.getUserSecurityName(testuser)) +"</p>");

    }else{
        response.getWriter().append("<p>Output: No Sec Enabled</p>");
    }
} catch (Exception e) {

    response.getWriter().print("<p>Exception caught: " + e + " </p>");

}
}

The application fails at getUserSecurityName(testuser) when testuser is not a technical user.

EDIT:

LDIF techuser:

>> Dn: uid=techuser,ou=technical,ou=people,o=appsdir
1> someWorkingOrgAlias:  
1> someHomeOrgAlias:  
1> someWorkingOrg:  
1> someUserSuspended:  
1> mail:  
1> givenName:  
1> cn:  
1> c:  
1> someIsUserEnabledIntra:  
1> someSupervisor:  
1> someSourceProcess:  
1> someAppResp:  
2> someAncestors:  
1> someHomeOrg:  
1> someOrgs: 
1> someAuthMode:  
1> uid: techuser; 
7> objectClass: someTechPerson; somePerson; sPerson; inetOrgPerson; organizationalPerson; person; top; 
1> someUserEnabled:  
1> sn:

LDIF user user:

>> Dn: uid=useruser,ou=employees,ou=people,o=appsdir
2> appsOrgs:  
1> departmentNumber:  
1> someLocationCode:  
1> somePlant2:  
1> ou:  
1> someCompanyID:  
1> somePlant1:  
1> someHomeOrg:  
6> someEntGrps:  
4> someAuthGrps:  
3> someScopedEntitlements:  
1> telephoneNumber:  
1> mail:  
2> someAncestors:  
1> c:  
1> sn:  
1> someCostCenter:  
1> uid: useruser; 
1> givenName:  
1> cn: 
8> objectClass: organizationalPerson; person; sEmployeePerson; sInternalEmployee; sPerson; inetOrgPerson; somePerson; top;

Thats all I can see with LDP.exe. My search base is o=appsdir. I try to describe my problem further:

Currently using filter:

(|(&(objectclass=person)(uid=%v))(&(objectcategory=person)(uid=%v)))

Works fine with my code and techusers.

When using user users I get The useruser entity was not found. Specify the correct entity or create the missing entity. from the method registry.getUserSecurityName("useruser").

Removing objectcategory part from my filter: (|(&(objectclass=person)(uid=%v))(&(uid=%v))) or by just using (uid=%v) gives me results, but then fails at the method registry.isValidUser(registry.getUserSecurityName("useruser")) (returns false although it's a valid user). And this also fails for techusers although with the objectgategory part in the filter it returned true. I also tried the following filter:

(|(uid=%v)(&(objectclass=person)(uid=%v))(&(objectcategory=person)(uid=%v))) with the same result as without the added (uid=%v) part.

kinglite
  • 339
  • 3
  • 20
  • Not very clear. Can you provide the LDIF for both users in your question? And, UIDs being presumably unique, why do you need the first part of the filter at all? – user207421 Aug 14 '17 at 14:04
  • I don't know the security impact on giving out the LDIF information, so I first have to check with my colleagues on that. The first part of the filter is needed, so that the methods I'm using get the correct result. If the objectcategory for instance is missing, the isValid method with the UserSecurityName (full DN, not only the UID) fails. It then sais "The entity was not found." – kinglite Aug 15 '17 at 09:05
  • You don't have to post the values, as long as the DN still makes sense. I just want to see the structure. Removing the object class filter should produce more results if anything, certainly not less. Are you sure the UID you're searching on really exists? – user207421 Aug 15 '17 at 14:32
  • Ok, I edited my question and tried to clarify my problem. The search gives me results with the simple filter (uid="useruser"), so I guess it does exist. – kinglite Aug 16 '17 at 07:04
  • So that's the answer, isn't it? Why do you think you need to specify the object class? NB Your LDIF isn't much use without the `objectClass` and `objectCategory` values. – user207421 Aug 16 '17 at 08:51
  • That's sadly not the answer, at least not the whole. Something is still missing so that the code works. Please read my further edits for clarification. I also added the values of objectClass, but I don't see any objectCategory. – kinglite Aug 16 '17 at 11:47
  • I don't think I can help you with this. I have no idea how `objectCategory` works in AD. But the answer to your original question is that `(&(|(objectcategory=person)(objectclass=person))(uid=%v))` should certainly work, although the order of execution is indeterminate, like an SQL WHERE clause: it depends on the indexing, index sizes, etc. All the various forms you've given of that filter are equivalent. I'm wondering whether there is something about the API you're using that isn't right, although I know nothing about `UserRegistry` either. My LDAP experience comes from OpenLDAP+JNDI. – user207421 Aug 16 '17 at 12:05

0 Answers0