Guest

Cisco Jabber for Windows

Jabber for Windows Unable to Query LDAP with Modified Base Filter

Techzone Article content

Document ID: 116104

Updated: Jun 26, 2013

Contributed by Bruno Van Turnhout, Cisco TAC Engineer.

   Print

Introduction

This document describes how to correct the Lightweight Directory Access Protocol (LDAP) search issue with a custom base filter for Cisco Jabber for Windows.

Prerequisites

Requirements

Cisco recommends that you have knowledge of Cisco Jabber for Windows.

Components Used

The information in this document is based on Cisco Jabber for Windows.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Problem

When an attribute such as employeeID s added in the BaseFilter specified in the jabber-config.xml file, no results are found even though the users have this attribute populated in Active Directory (AD). When a base filter is created without this attribute it works as designed.


When you use ldp.exe to query the LDAP, the filter with this attribute works as designed.

Example

This code works:

<BaseFilter>(&amp;(objectclass=user)(objectcategory=person)
(!UserAccountControl:1.2.840.113556.1.4.803:=2)</BaseFilter>

It fails if you add (employeeid=*):

<BaseFilter>(&amp;(employeeid=*)(objectclass=user)
(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)</BaseFilter>

Solution

Jabber for Windows can connect to a domain controller (TCP port 389 or secure 636) or a global catalog (TCP port 3268 or secure 3269). This is controlled by the ConnectionType parameter in the jabber-config.xml file where 0 = global catalog (default value) and 1 = domain controller.

If you connect to the global catalog, you need to ensure that all the attributes present in the LDAP filter are propagated to the global catalog. If one attribute from the LDAP filter is not present in the global catalog, the search request that uses this filter does not return any results. By default, only a subset of attributes is propagated to the global catalog. One of these attributes which is not propagated by default is employeeID.

Solution 1: Domain Controller

Point Jabber to a domain controller instead of the global catalog (in your jabber-config.xml file, set the directory parameter ConnectionType to 1 instead of 0). This is not recommended as the performance of a domain controller is slower compared to a global catalog so it results in poorer performance of the Jabber client.

Solution 2: Global Catalog

Replicate the needed attribute (employeeID) to the global catalog servers in your AD environment. Check with your AD administrator to verify it will be updated. In order to perform this change, go the domain controller with schema administrator rights:

  1. Navigate to MMC > File > Add/remove schema > Add Active Directory Schema.
  2. In the left pane, open the Attributes folder.
  3. Right-click the attribute (employeeID).
  4. In the (employeeID) Properties window, check the Replicate this attribute to the Global Catalog check box.

Related Information

Updated: Jun 26, 2013
Document ID: 116104