No announcement yet.

LDAP Filter for auxiliary class

  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP Filter for auxiliary class

    Good monday everyone (how ironic),

    I have an issue with an ldap query being sent by a device to a domain controller..

    It filters results by using a specific class. Let's call that "nonstandardclass"

    The filter looks like this:
    filter="(&(SomeField=value)(objectClass=nonstandardclass))" attrs=ALL
    However, I need to return users to the device querying. And users are not, by definition, of an objectclass of "nonstandardclass".

    Is there a way I can create a structural or auxiliary class "nonstandardclass" , and link it to the user class so that this filter will still return users?

    I know you can query users by filtering for class "person" , and I *THINK* this comes from the fact that the constructed attribute "structuralObjectClass" contains top, user, organizationPerson and person.

    If that is indeed really the case, I guess my question is : Is there any way of creating a class and adding it to the constructed attribute "structuralObjectClass" ?

    Thank you
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

  • #2
    Re: LDAP Filter for auxiliary class

    Well... Looks like you should be asking the device manufacturer to fix the hard coded filter. It's a very bad practice to hard code LDAP filter into the app and require customers to adhere to what the manufacturer thinks is right.

    If changing the device behavior is not an option, I still do not see a justification for touching AD schema just for this single misbehaving device. I would consider syncing the data from AD to AD/AM (AD LDS) and doing the schema modification in AD/AM.

    You can create your own aux class. Even better - you can dynamically link aux class to a specific object if you are at W2K3 FFL ( for details), but I'd still try to avoid touching AD just to get some misbehaving device to work. If all it requires is LDAP store, set up an AD/AM instance, configure it to sync from AD, extend the schema in AD/AM and you are done.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Re: LDAP Filter for auxiliary class

      I tried asking Cisco to send me a new firmware but they refused

      It is indeed a piece of crap query! I'm trying to authorize users through LDAP with a VPN concentrator, and the hardcoded query looks for objects of type "cVPN3000-blabla" (YES, it has the MODEL NUMBER in the name of the freaking class).

      Most people use Radius for that stuff so finding answers is pretty hard...

      I've seen it work with LDAP authorization with objects of that class being created in a separate directory, which would be similar to setting up AD LDS and synching users there (I could then create them as objectclass=ciscocrap or try something with dynamic classes).

      The reason I'm asking is because I need to know every possible solution, good or bad, before I can justify the choice !

      Thanks for your answer, I wasn't sure about dynamic classes in AD, I'll investigate.
      VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah