You can customize your queries by configuring custom attributes and filters to suit your system's configuration. Use the custom query to change scope and support unique directory schemas.
Symantec recommends that you test all queries before deploying a new data source.
To configure a custom address resolution query for a new data source:
Add your data source and configure your server integration settings in the Directory Integration Settings - LDAP Server Configuration page then click Next.
See Adding a data source.
In the Add Directory Data Source - Directory Data Source Functions page, check Address resolution, and then click Customize Query.
Provide the following information:
Provide a Base DN for the custom query.
A default value is provided, select "Customize" to provide your own values in the Custom query start field.
|Custom query start||
If you select "Customize" for the Base DN field, provide a Custom query start.
You can customize the base DN to refocus the search to a specific part of the directory tree. Custom query start lets you configure the query to fit your particular needs and return data more quickly.
|Primary email attribute||
Provide a Primary email attribute for the address resolution query, if desired.
The query filter instructs the directory data service to return data using attributes and tokens that describe a specific LDAP query syntax.
|Primary email attribute||
In the Primary email attribute field, provide the attribute in your LDAP schema that is used to store the primary email address information for the query.
If you provide multiple primary email attributes, the system selects the first attribute (based on alphabetical order) to use as the primary attribute for query purposes. The subsequent values appear as aliases, but only if the primary attribute and alias attribute names defined for the data source function are the same.
If you specify a primary email attribute of "proxyAddresses", the directory data service automatically identifies the attribute value that is prepended with "SMTP:" as the address. You do not need to specify this prefix in the field.
|Email alias attribute (optional)||
In the Email alias attribute field, the attribute in your LDAP schema that is used to store the email alias address information.
|Distribution list object classes||
In the Distribution list object classes field, list the object classes in your LDAP schema to be used to identify distribution list entries.
|Child membership attributes||
In the Child membership attributes field, provide the names of the attributes, separated by semicolons, that are in your schema used to define members of a group.
If you do not provide a child membership attribute, distribution lists, and groups are not expanded. Choosing not to expand groups does create a performance benefit. It also means, however, that policies can only be applied to the email address of the recipient since LDAP group membership are not evaluated. Indirect policy groups through email aliases are still honored.
Click Restore Defaults to remove your edits to the address resolution query fields and replace them with the default values.
|Test email address||
Provide a Test email address that can be used to test and validate your query.
To validate the defined address resolution query against the data source click Test Query.
This test is conducted against the directory data service instance that is running on the Control Center host. The test cannot verify connectivity from attached scanners to your LDAP server.
If your query is successful, you can click the icon next to the Test Query option to display all query results. This test reports all email addresses and user preferences that are associated with the test email address. If the recipient is a distribution list, this information is provided for all users belonging to that distribution list.
Test results reflect only the data source being tested. Test results do not provide information about the effects of other data sources or system settings such aliasing and masquerading.
|Query filter (optional)||
Provide a Query filter (optional) for the group listing query, if desired.
The attribute describes the email address or attribute element to be searched and the token describes the parameters that are used to return data.
For example, for a SunONE data source, you might use the following query filter to identify all groups within the directory:
If this field is left blank, then groups are not listed on the Add Policy Groups page.
|Group name attribute (optional)||
In the Group name attribute (optional) field, provide the attribute from your schema that is used as the display name for the groups that are returned. A representative sample of groups is returned.
If this field is left blank, then the groups created for association with policy groups are listed on the Add Policy Groups page by the DN name only.
See About policy groups.
Click Restore Defaults to remove your edits to the group listing query configuration fields and replace them with the default values.
Click Test Query to validate the defined group listing query against the data source instance that is running on the Control Center host.
Test results reflect only the data source tested. The query returns a representative sample of groups found in the directory and is conducted against the directory data service instance that is running on the Control Center host. It cannot be used to verify connectivity from attached scanners to your LDAP server.
Click Save to return to the Add Directory Data Source - Directory Data Source Functions page.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.