Jabber for Windows Unable to Query LDAP with Modified Base Filter
Available Languages
Contents
Introduction
This document describes how to correct the Lightweight Directory Access Protocol (LDAP) search issue with a custom base filter for Cisco Jabber for Windows.
Prerequisites
Requirements
Cisco recommends that you have knowledge of Cisco Jabber for Windows.
Components Used
The information in this document is based on Cisco Jabber for Windows.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Problem
When an attribute such as employeeID s added in the BaseFilter specified in the jabber-config.xml file, no results are found even though the users have this attribute populated in Active Directory (AD). When a base filter is created without this attribute it works as designed.
When you use ldp.exe to query the LDAP, the filter with this attribute works as designed.
Example
This code works:
<BaseFilter>(&(objectclass=user)(objectcategory=person)
(!UserAccountControl:1.2.840.113556.1.4.803:=2)</BaseFilter>
It fails if you add (employeeid=*):
<BaseFilter>(&(employeeid=*)(objectclass=user)
(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)</BaseFilter>
Solution
Jabber for Windows can connect to a domain controller (TCP port 389 or secure 636) or a global catalog (TCP port 3268 or secure 3269). This is controlled by the ConnectionType parameter in the jabber-config.xml file where 0 = global catalog (default value) and 1 = domain controller.
If you connect to the global catalog, you need to ensure that all the attributes present in the LDAP filter are propagated to the global catalog. If one attribute from the LDAP filter is not present in the global catalog, the search request that uses this filter does not return any results. By default, only a subset of attributes is propagated to the global catalog. One of these attributes which is not propagated by default is employeeID.
Solution 1: Domain Controller
Point Jabber to a domain controller instead of the global catalog (in your jabber-config.xml file, set the directory parameter ConnectionType to 1 instead of 0). This is not recommended as the performance of a domain controller is slower compared to a global catalog so it results in poorer performance of the Jabber client.
Solution 2: Global Catalog
Replicate the needed attribute (employeeID) to the global catalog servers in your AD environment. Check with your AD administrator to verify it will be updated. In order to perform this change, go the domain controller with schema administrator rights:
- Navigate to MMC > File > Add/remove schema > Add Active Directory Schema.
- In the left pane, open the Attributes folder.
- Right-click the attribute (employeeID).
- In the (employeeID) Properties window, check the Replicate this attribute to the Global Catalog check box.
Related Information
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
26-Jun-2013 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)