Skip to Content
Information
Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Using user validation filters

BMC Decision Support for Server Automation uses user validation filters when refreshing LDAP session credentials. These filters help determine whether a user account is in good standing.

A user validation filter is applied to a search query of the distinguished name of a user. If an account is disabled, locked, or not authorized to log on, the query must return empty results. The filter checks schema-specific attributes for values that indicate an account is not in good standing. If a custom validation filter is not defined, the Authentication Service can only verify whether a user account still exists. The Authentication Service cannot determine, for example, whether the account has been locked. User validation filters must be properly formatted LDAP search filters. See below for descriptions of some common validation filters.

Directory servers enforce different access controls on user account attributes. A directory server might allow anonymous connections to browse user account data, but a directory server typically restricts access to attributes that indicate whether an account is disabled. To take advantage of a custom user validation filter, the Authentication Service must log on to the directory server with a privileged account. The name and password of the privileged account are defined by the LDAP DefaultUser and LDAP DefaultPassword settings. If you are not employing user validation filters and your directory server allows anonymous connections, you do not need to define a default LDAP user and password.

Depending upon the type of LDAP directory server, use the following user validation filters:

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Decision Support for Server Automation 8.9