Directory Manager

In addition to the ability to query the core database with database queries, you can also use the Directory manager tool that lets you locate, access, and target devices in other directories via LDAP (the Lightweight Directory Access Protocol).

You can query devices based on specific attributes such as processor type or OS. You can also query based on specific user attributes such as employee ID or department.

For information about creating and running database queries, see Using queries.

Read this chapter to learn about:

• About the Directory manager window
• Creating and saving LDAP directory queries
• More about LDAP

About the Directory manager window

Use Directory manager to accomplish the following tasks:

• New directory: Opens the Directory manager dialog where you identify and log in to an LDAP directory.
• Edit: Edit the currently selected directory.
• Delete: Removes the selected directory from the preview pane and stops managing it.
• Refresh: Reloads the list of managed directories and targeted users.
• LDAP targets: Places selected LDAP objects in the target list. It is not possible to target Organizational Units or LDAP containers.
• New LDAP query: Opens the LDAP query dialog where you can create and save an LDAP query.

The Directory manager window consists of three panes: a directory pane on the left, a preview pane on the right, and the bottom pane containing a target list and a list of LDAP queries.

Directory pane

The directory pane displays all registered directories and users. As an administrator, you can see a list of queries that are associated with the directory. You can create and then save new queries for a registered directory with a right mouse click or by using drop-down menus.

Creating and saving LDAP directory queries

The task of creating a query for a directory and saving that query is divided into two procedures:

To select an object in the LDAP directory and initiate a new query

1. In the left navigation pane, click Distribution > Directory manager.
2. Browse the Directory manager directory pane, and select an object in the LDAP directory. You'll create an LDAP query that returns results from this point in the directory tree down.
3. From Directory manager, click the New LDAP query toolbar button. Note that this icon only appears when you select the root organization (o) of the directory tree (o=my company) or an organizational unit (ou=engineering) within the root organization. Otherwise, it's dimmed.
4. The basic LDAP query dialog box appears.

To create, test, and save the query

1. From the basic LDAP query dialog box, type a descriptive name in the Name field.
2. Click an attribute that will be a criterion for the query from the list of directory attributes (example = department).
3. Click a comparison operator for the query (=,<=, >=).
4. Enter a value for the attribute (example department = engineering).
5. To create a complex query that combines multiple attributes, select a combination operator (AND or OR) and repeat steps 1 through 3 as many times as you want.
6. When you finish creating the query, click Insert.
7. To test the completed query, click Test.
8. To save the query, click Save. The saved query will appear by name under Saved queries in the directory pane of Directory manager.

About the basic LDAP query dialog

• Name: The name displayed in the directory pane.
• LDAP query root: Select a root object in the directory for this query (LDAP://ldap.xyzcompany.com/ou = America.o = xyzcompany). The query that you're creating will return results from this point in the tree down.
• LDAP attributes: Select attributes for user-type objects.
• Operators: Select the type of operation to perform relating to an LDAP object, its attributes, and attribute values including equal to (=), less than or equal to (<=), and greater than or equal to (>=).
• Value: Specify the value assigned to the attribute of an LDAP object.
• Test: Execute a test of the query you've created.
• Save: Save the created query by name.
• Advanced: Create a query using the elements of a basic LDAP query but in a freeform manner.
• Insert: Insert a line of query criteria.
• Delete: Delete a selected line of criteria.

About the Directory manager dialog

From the Directory manager toolbar, click the New directory toolbar button to open the Directory manager dialog. This dialog enables you to start managing a new directory, or to view properties of a currently managed directory. This dialog also shows the URL to the LDAP server and the authentication information required to connect to the LDAP directory:

• Directory URL: Enables you to specify the LDAP directory to be managed. An example of an LDAP directory and the correct syntax is "ldap.<companyname>.com." For example, you might type ldap.xyzcompany.com.
• Authentication: Enables you to log into the directory. Specify a user name and password.

About the Advanced LDAP query dialog

From the Basic LDAP query dialog, click Advanced to open the advanced LDAP query dialog, which displays the following:

• LDAP query root: Enables you to select a root object in the directory for this query. The query that you're creating will return results from this point in the tree down.
• LDAP query: Enables you to create a query using the elements of a basic LDAP query but in a freeform manner.
• Example: Displays query examples you can use as a guide when creating your own query in freeform.
• Test: Enables you execute a test of the query you have created.

The Advanced LDAP query dialog appears when you select to edit a query that has already been created. Also, if you select an LDAP group in directory manager and then choose to create a query from that point, the Advanced LDAP query dialog appears with a default query that returns the users who are members of that group. You can't change the syntax of this default query, only save the query.

More about the Lightweight Directory Access Protocol (LDAP)

Lightweight Directory Access Protocol (LDAP) is an industry standard protocol for accessing and viewing information about users and devices. LDAP enables you to organize and store this information into a directory. An LDAP directory is dynamic in that it can be updated as necessary, and it is distributed, protecting it from a single point of failure. Common LDAP directories include Novell Directory Services (NDS) and Microsoft Active Directory Services (ADS).

The following examples show LDAP queries that can be used to search the directory:

• Get all entries: (objectClass=*)
• Get entries containing 'bob' somewhere in the common name: (cn=*bob*)
• Get entries with a common name greater than or equal to 'bob': (cn>='bob')
• Get all users with an e-mail attribute: (&(objectClass=user (email=*)
• Get all user entries with an e-mail attribute and a surname equal to 'smith': (&(sn=smith (objectClass=user (email=*)
• Get all user entries with a common name that starts with 'andy', 'steve', or 'margaret': (&(objectClass=User (| (cn=andy* (cn=steve* (cn=margaret*)
• Get all entries without an e-mail attribute: (!(email=*)

The formal definition of the search filter is as follows (from RFC 1960 :

• <filter> ::= '(' <filtercomp> ')'
• <filtercomp> ::= <and> | <or> | <not> | <item>
• <and> ::= '&' <filterlist>
• <or> ::= '|' <filterlist>
• <not> ::= '!' <filter>
• <filterlist> ::= <filter> | <filter> <filterlist>
• <item> ::= <simple> | <present> | <substring>
• <simple> ::= <attr> <filtertype> <value>
• <filtertype> ::= <equal> | <approx> | <ge> | <le>
• <equal> ::= '='
• <approx> ::= '~='
• <ge> ::= '>='
• <le> ::= '<='
• <present> ::= <attr> '=*'
• <substring> ::= <attr> '=' <initial> <any> <final>
• <initial> ::= NULL | <value>
• <any> ::= '*' <starval>
• <starval> ::= NULL | <value> '*' <starval>
• <final> ::= NULL | <value>

The token <attr> is a string representing an AttributeType. The token <value> is a string representing an AttributeValue whose format is defined by the underlying directory service.

If a <value> must contain one of the characters * or ( or ), precede the character with the slash (\) escape character.