Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry AtHoc
  3. 1.2
  4. User Sync Client
  5. Configure the data integration file
  6. Data adapter configuration
  7. LDAP Hierarchy-based configuration—<hierarchyConfig>
  8. Attribute filter

Attribute filter

The applicable targets of the attribute filter are attributes of LDAP entries. Every LDAP entry (including user, organizational unit, container, group, and contact) has a set of attributes which store information for the entry. The attribute sets can vary among different LDAP entries.
The attribute filter has an XML attribute named “target” which identifies the attribute of the LDAP entry which the filters are applied to. The value of “target” must be the exact name of one of the LDAP entry’s attributes. If the name is different, the filter does not take effect.
Identify the set of LDAP attributes using the in-package
AdTools.exe
 utility application. For the synchronization process, the most useful LDAP attributes are “name” and “objectclass.”
The XML definition of the attribute filter can have two subsections, <include> and <exclude>, which define several <value> nodes by themselves.
The <include> section identifies the child LDAP nodes whose target attribute (with defined values) are included in search results. Note that the value "*" is a wildcard that means any value. A missing or empty <include> section includes all values by default. Empty values such as <value></value> are ignored.
The <exclude> section has the reverse effect of the <include> section. The <exclude> section identifies the child LDAP nodes whose “target” attribute (with defined values) are excluded. The value "*" means has no meaning in this context. However, if the value "*" is defined or inherited in the <include> section, defining "*" in the <exclude> section triggers the removal of the value "*" from both the <include> and <exclude> sections. A missing or empty <exclude> section, or no value defined, excludes nothing. Empty values are ignored.
During sync processing for one node, before applying “attribute” filters, all applicable “attribute” filters (either defined in this node or inherited from parents) with the same targeted LDAP attribute are merged to eliminate redundant and conflicting value definitions.
The following are example XML segments.
  • Filter 1
     includes the LDAP entry whose “objectclass” (a type of LDAP entry) values are: “user”, “container”, “organizationalUnit” and “group”. Currently, only the tree node (organizationalUnit, container), and user and group (static list) are synchronized, so all LDAP entries of other types are excluded in the resulting hierarchy tree. Filter 1 is inheritable, so it applies to all child nodes. 
    <!-- Filter 1 -->
          <filter type="attribute" target="objectclass" inheritable="true">
            <include>
              <value>user</value>
              <value>organizationalUnit</value>
              <value>container</value>
              <value>group</value>
            </include>
            <exclude>
               <value>computer</value>
            </exclude>
          </filter>
  • Filter 2
     includes an LDAP entry whose value of “name” (common name) can be any value except “Computers.” This filter is inheritable, so all LDAP entries with the name “Computers” are excluded. This filter may be useful if many nodes have a subentry whose name is “Computers”. 
    <!-- Filter 2 -->
       <filter type="attribute" target="name" inheritable="true">
         <include>
           <value>*</value>
         </include>
         <exclude>
          <value>Computers</value>
         </exclude>
       </filter>
  • Filter 3
     is not inheritable. This filter excludes a child entry with the name “DB Servers” or “Web Servers” under the current LDAP node. 
    <!-- Filter 3 -->
      <filter type="attribute" target="name" inheritable="false">
         <exclude>
            <value>DB Servers</value>
            <value>Web Servers</value>
         </exclude>
      </filter>
  • Filter 4
     is a date filter. This filter can apply to any <date> type LDAP attribute. The XML definition of the date filter can have two or three subsections: <applicableClasses>, <from> and <to>, or <within>.
    <applicableClasses>
    : Defines the LDAP object classes the date filter is applied to.
    <from>
     and
    <to>
    : Define the start date and end date of the filter.
    If <from> and <to> do not exist, define a <within> tag and specify a number of days. This creates a date range from the specified number of previous days until today. 
    <!-- Filter 4 -->
      <filter type="date" target="whenchanged" inheritable="true">
         <applicableClasses>
            <class>user</class>
         </applicableClasses>
         <from>7/1/2007</from>
         <to>07/18/2007</to>
         <within>1</within>
      </filter>
  • Filter 5
     is an LDAP filter. This type of filter enables defining a pure LDAP filter string and using it during the search process. It provides the most flexible and powerful way to define filters. LDAP filters can achieve the goals of all other filters, but this requires understanding LDAP. 
    <!-- Filter 5 -->
      <filter type="LDAP" inheritable="true">
        <!-- Exclude All Disabled Users -->
        <![CDATA[
          (!(samaccounttype=268435456))
        ]]>
      </filter>