IDM 4.7. Dynamic Group Filter - some attributes disappear aftrer saving

Hi All,

During Dynamic Group creation from iManager I create several queries. When I create a query with the following filter: (&(objectClass=Person)(title=Сотрудник приемной председателя)) and press "Apply" button, I get several users in the Query Results field. Looks OK so far.

But when I save the group (by pressing OK button) and then edit it again I see that the "title" attribute in my filter is empty: (&(objectClass=Person)(title=))

Why does this happen?

Parents
  • Hi,
    I can reproduce this in iManager 3.1.4. Are we sure that dynamic query is able to store Unicode characters? Should, but can it?

    BTW: German umlautz are working.

    regards
    Daniel

  • Hi Daniel,

    I have another query within the same dynamic group:
    (&(title=Помощник судьи)(objectClass=Person))

    And it works fine - nothing disappears after saving. According to this, I assume that a dynamic query is able to store Unicode.

    Best regards,
    Eugene
  • You should be able to store these values in a query. I am pretty confident that eDirectory supports this also. They do however need to be escaped.
    One must to convert to UTF-8 hex pairs and then escape each hex pair with a backslash.
    If iManager is not handling this conversion properly, then I'd raise a service request to get a build that works properly.

    Try to create a dummy filter via iManager, then edit the value directly in a LDAP browser (Apache DS for example) paste in this, for example.

    (&(title=\D0\A1\D0\BE\D1\82\D1\80\D1\83\D0\B4\D0\BD\D0\B8\D0\BA\20\D0\BF\D1\80\D0\B8\D0\B5\D0\BC\D0\BD\D0\BE\D0\B9\20\D0\BF\D1\80\D0\B5\D0\B4\D1\81\D0\B5\D0\B4\D0\B0\D1\82\D0\B5\D0\BB\D1\8F)(objectClass=Person))

    Note that the MemberQueryURL has a bunch of stuff appended before and after the LDAP filter part, don't replace the entire value, just the dummy query.

  • Hi Alex,

    I see that the working query (&(title=Помощник судьи)(objectClass=Person)) looks like this in LDAP browser

    ldap:///OU=users,O=data??sub?(&(objectClass=Person)(title=\d0\9f\d0\be\d0\bc\d0\be\d1\89\d0\bd\d0\b8\d0\ba \d1\81\d1\83\d0\b4\d1\8c\d0\b8))

    So, I assume the '\' symbol must be presented as \.

    I took your query and replaced '\' to \: ldap:///OU=users,O=data??sub?(&(title=\d0\a1\d0\be\d1\82\d1\80\d1\83\d0\b4\d0\bd\d0\b8\d0\ba\20\d0\bf\d1\80\d0\b8\d0\b5\d0\bc\d0\bd\d0\be\d0\b9\20\d0\bf\d1\80\d0\b5\d0\b4\d1\81\d0\b5\d0\b4\d0\b0\d1\82\d0\b5\d0\bb\d1\8f)(objectClass=Person))

    But when I try to paste this into the memberQueryURL attribute by using LDAP browser I encounter the following scenarios:

    #1.

    - Create a dummy query. It looks like this: ldap:///OU=users,O=data??sub?(&(objectClass=*))

    - (by using Hex Editor - Edit as Text widget in Apache DS) paste the following query: 

    ldap:///OU=users,O=data??sub?(&(title=\d0\a1\d0\be\d1\82\d1\80\d1\83\d0\b4\d0\bd\d0\b8\d0\ba\20\d0\bf\d1\80\d0\b8\d0\b5\d0\bc\d0\bd\d0\be\d0\b9\20\d0\bf\d1\80\d0\b5\d0\b4\d1\81\d0\b5\d0\b4\d0\b0\d1\82\d0\b5\d0\bb\d1\8f)(objectClass=Person))

    - I can successfully save this query. But after saving the title value disappears again. I get: ldap:///OU=users,O=data??sub?(&(objectClass=Person)(title=))

    #2.

    If I try to correct the query again I can get the following errors:

    Error while executing LDIF
    - [LDAP: error code 16 - NDS error: no such value (-602)]
    java.lang.Exception: [LDAP: error code 16 - NDS error: no such value (-602)]
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1374)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$9(DirectoryApiConnectionWrapper.java:1342)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$4.run(DirectoryApiConnectionWrapper.java:736)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1269)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1205)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.modifyEntry(DirectoryApiConnectionWrapper.java:758)
    at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:515)
    at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272)
    at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.executeLdif(ExecuteLdifRunnable.java:157)
    at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.run(ExecuteLdifRunnable.java:123)
    at org.apache.directory.studio.ldapbrowser.core.jobs.UpdateEntryRunnable.run(UpdateEntryRunnable.java:59)
    at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:116)
    at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:119)

    [LDAP: error code 16 - NDS error: no such value (-602)]

     

    OR 

     

    Error while executing LDIF
    - [LDAP: error code 21 - NDS error: no additional information available (-306)]
    java.lang.Exception: [LDAP: error code 21 - NDS error: no additional information available (-306)]
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1374)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$9(DirectoryApiConnectionWrapper.java:1342)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$4.run(DirectoryApiConnectionWrapper.java:736)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1269)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1205)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.modifyEntry(DirectoryApiConnectionWrapper.java:758)
    at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:515)
    at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272)
    at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.executeLdif(ExecuteLdifRunnable.java:157)
    at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.run(ExecuteLdifRunnable.java:123)
    at org.apache.directory.studio.ldapbrowser.core.jobs.UpdateEntryRunnable.run(UpdateEntryRunnable.java:59)
    at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:116)
    at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:119)

    [LDAP: error code 21 - NDS error: no additional information available (-306)]

     

    Regards,

    Eugene

  • Ok, here is a solution.

    I have tested this with relatively recent environment eDir 9.1.4 / IDM 4.7.2 / iManager 3.1.3

    Generated the correctly escaped LDAP query by using a simple PowerShell script.

    $CyrillicString = 'Помощник судьи' $dummyFilter = 'ldap:///OU=Users,OU=Data,O=IDV??sub?(&(title={0})(objectClass=Person))' $EscapedUTF8StrArray = [System.Text.Encoding]::UTF8.GetBytes($CyrillicString)|ForEach-Object { "\{0:X2}" -f $( $_ -as [int16] ) } Write-Host ($dummyFilter -f (-join $EscapedUTF8StrArray))

    Using Apache Directory Studio right click on memberQueryURL and select "edit Value With" and choose "in-place text editor". Then simply paste the line generated by the powershell script in here, hit enter to save.

    When I view this dynamic group in iManager, the preview shows the correct Cyrillic text, but when I try and edit it with the leftmost icon "advanced selection criterion" , then I get gibberish.

    If I edit with the rightmost button "Edit item", I can edit and the changes are saved correctly.

    So.. it at least partly works in iManager 3.1.3 or with above script you can easily generate your own encoded queries.

Reply
  • Ok, here is a solution.

    I have tested this with relatively recent environment eDir 9.1.4 / IDM 4.7.2 / iManager 3.1.3

    Generated the correctly escaped LDAP query by using a simple PowerShell script.

    $CyrillicString = 'Помощник судьи' $dummyFilter = 'ldap:///OU=Users,OU=Data,O=IDV??sub?(&(title={0})(objectClass=Person))' $EscapedUTF8StrArray = [System.Text.Encoding]::UTF8.GetBytes($CyrillicString)|ForEach-Object { "\{0:X2}" -f $( $_ -as [int16] ) } Write-Host ($dummyFilter -f (-join $EscapedUTF8StrArray))

    Using Apache Directory Studio right click on memberQueryURL and select "edit Value With" and choose "in-place text editor". Then simply paste the line generated by the powershell script in here, hit enter to save.

    When I view this dynamic group in iManager, the preview shows the correct Cyrillic text, but when I try and edit it with the leftmost icon "advanced selection criterion" , then I get gibberish.

    If I edit with the rightmost button "Edit item", I can edit and the changes are saved correctly.

    So.. it at least partly works in iManager 3.1.3 or with above script you can easily generate your own encoded queries.

Children
  • Hi Alex,

    Thanks for your solution. Also, microfocus tech support confirmed that there is some kind of "cosmetic" bug. Even though some values seem to have disappeared from memberQueryUrl, in fact, the query still works as expected (that's what matters). The only inconvenience is that you can't see the query in iManager (and even by using LDAP browser) correctly.