Apply a dynamic filter in LDAP Filter

Johnny D_
Tera Contributor

Hi everybody.

This is my very first topic on the community.

My question is about the "LDAP OU Definition".

What we want is to identify in LDAP, the new created accounts. List them in a table, then push the mail adresse Inside Workday.

The sequence is : Scheduled Data Import --> use a data source LDAP --> Supported by a LDAP Target.

In the LDAP Target you define the LDAP Filter for requesting AD.

Everything works fine, but my target is to produce a dynamic LDAP Filter, based on the "WhenCreated" LDAP Parameter

For exemple, if i define this kind a filter : (&(objectClass=person)(sn=*)(!(objectClass=computer))(whenCreated>=20061001000000.0Z))

--> It's ok i find 10 accounts.

But i would like the criteria of the parameter whenCreated dynamic "20061001000000.0Z"

Like this i would be able to ask to LDAP "Give me the user accounts who have been created since my last execution".

To do this, i have created a "script include" (ADCaller_script_getDateCreated), including ADCaller_script_getDateCreated function who only do return "20061001000000.0Z"; (first step for proof of concept)

And i adjust the LDAP Filter :

(&(objectClass=person)(sn=*)(!(objectClass=computer))(whenCreate>=javascript:ADCaller_script_getDateCreated()))

--> It's KO i find always 0 accounts.

--> It looks the "javascript:ADCaller_script_getDateCreated()" is not translated

--> I've tried : javascript:global.javascript:ADCaller_script_getDateCreated() : KO

--> I've tried to create de DynamicFilter Option referenced to the script include : KO

--> I haven't tried to do a Class script include, with a method "getDateCreated" and call it with javascript:new MyScript().myMethod() because i think the result will be identical.

Therefore, i'm asking to the community : Is it possible to implement something like a dynamic value Inside a LDAP Filter ? If yes, what is wrong in my code and do you have a functional example?

Thanks in advance,

Cordially

 

 

12 REPLIES 12

Johnny D_
Tera Contributor

Hi everybody.

I had no answer on my post.

But i found a solution in my case.

Because of the sequence defined :

Scheduled Data Import --> use a data source LDAP --> Supported by a LDAP Target.

 

I use the post-script of my scheduled import, to update the LDAP Filter.

You can acces to the filter by this way from the post-script :

data_source.ldap_target.filter

I put a generic LDAP filter in a property like this :

(&(objectClass=user)(sn=*)(!(objectClass=computer))(whenCreated>=#DATE#)(extensionAttribute4=*))

And in post-script i replace the #DATE# by the value i want.

To update my LDAP filter i do this :

var ldapDbObj = new GlideRecord('ldap_ou_config');
ldapDbObj.get(data_source.ldap_target.sys_id);

ldapDbObj.filter = ldapFilter.replaceAll("#DATE#",dateDyn) ;
ldapDbObj.update();

info : dateDyn = the date i define dynamically.

Like this after every execution, my filter is correct for the next execution.

But for the first execution, i need to define manually the value of the filter.

I wish this topic may help someone.

Best regards.

 

Hi. Thanks for the post. My question is about this "But for the first execution, i need to define manually the value of the filter." Do you mean that you put in instead of whencreated >= #Date# the LDAP filter you put this whenCreated>=20061001000000.0Z, please advise.

Hi.

I used a Template LDAP filter stored in a property (sys_properties)

(&(objectClass=user)(sn=*)(!(objectClass=computer))(whenCreated>=#DATE#)(extensionAttribute4=*))

to dynamically update the ldap filter for the next execution.

--> Property is never modified, it's just read by post script of scheduled data import, as a Template to produce the right ldap filter ok?

In my case, the next LDAP filter is calculated at the end of the sync execution (post script).

For the for first execution, you have to put the LDAP filter manually, because the LDAP filter is calculated at the end of previous sync execution (in my case) . And at first execution, there is no previous sync existing… because it's the first 🙂

Like this :

1) First LDAP sync is executed (with a manually set ldap filter) ;

2) After sync (<=> Post script of scheduled data import), script read the property (ldap filter Template) and put it in a Javascript var, translate #DATE# to produce the next good filter automatically and update the ldap filter (=> table : ldap_ou_config) ;

 

 

3) Second sync is executed (with a automatic calculated LDAP filter at the end of the previous sync => Step 2 just over)  

4) After sync, script read the property and put it in a Javascript var, translate #DATE# to produce the next good filter and update the ldap filter (= Step 2 just over);

 

5) third sync like the second sync, and so on...

 

Post script extract : 

var ldapFilter =  gs.getProperty('template.ldap.filter.prop');
var dateDyn = ADCaller_script_getDateCreated(); // script include function returning the right next date

 

var ldapDbObj = new GlideRecord('ldap_ou_config');
ldapDbObj.get(data_source.ldap_target.sys_id); 
 
ldapDbObj.filter = ldapFilter.replaceAll("#DATE#",dateDyn) ;
ldapDbObj.update(); 

Hoping to have enlightened you.

Best regards.

Yes, in ldap filter of the LDAP OU Definition, you never have (&(objectClass=user)(sn=*)(!(objectClass=computer))(whenCreated>=#DATE#)(extensionAttribute4=*))

First time you put manually a real LDAP filter like this : 

(&(objectClass=user)(sn=*)(!(objectClass=computer))(whenCreated>=20210304000001.0Z)(extensionAttribute4=*))

Then in post script, script translate to next filter

(&(objectClass=user)(sn=*)(!(objectClass=computer))(whenCreated>=#DATE#)(extensionAttribute4=*))

to

(&(objectClass=user)(sn=*)(!(objectClass=computer))(whenCreated>=20210311000001.0Z)(extensionAttribute4=*)) 

and update LDAP OU definition filter with this new dynamic filter.

Best regards