4.14. About LDAP Filters and Attributes

4.14.1. Searching for Users and Groups
4.14.2. Requesting a Desktop for a User
4.14.3. Resolving Group Membership
4.14.4. LDAP Cache

Oracle VDI uses various LDAP filters and attribute lists to look up and interpret the data stored in a user directory.

This section explains how the LDAP filters and attributes are used by Oracle VDI to perform the different searches in the user directory necessary for each task.

See Section C.1, “How to Edit LDAP Filters and Attributes” for details about how to edit those filters.

4.14.1. Searching for Users and Groups

You can use the administration tools ( Oracle VDI Manager or CLI) to search for users and groups, in order to assign them to desktops or pools.

The search logic works as follows:

  • Users are searched first:

    • the filter used to search for users is: (&ldap.user.object.filter ldap.user.search.filter).

    • the $SEARCH_STRING placeholder is replaced by *criteria* where criteria is the string typed in the Oracle VDI Manager search field. If the criteria string already contains a wild-card "*", then the $SEARCH_STRING placeholder is simply replaced by criteria.

  • Groups are then searched as follow:

    • the filter used to search for users is: (&ldap.group.object.filter ldap.group.search.filter).

    • the $SEARCH_STRING placeholder is replaced by *criteria* where criteria is the string typed in the Oracle VDI Manager search field. If the criteria string already contains a wild-card "*", then the $SEARCH_STRING placeholder is simply replaced by criteria.

If the global setting ldap.search.wildcard is set to disabled, the $SEARCH_STRING placeholder is replaced by criteria (without being surrounded by the wildcards). This restricts the returned results to strictly match the typed string but it is useful with very large and distributed user directories where the search using the wildcards takes too long to return.

Wildcards are added by default as the default value for ldap.search.wildcard is enabled.

4.14.2. Requesting a Desktop for a User

When requesting a desktop for a user, Oracle VDI first needs to find the user DN that matches the user ID before resolving the pool and desktop assignments for the user DN. If client authentication is enabled, then the user ID attribute is also used for authentication.

The attributes used to match the user ID are defined in ldap.userid.attributes.

4.14.3. Resolving Group Membership

Group membership is resolved using the attributes defined in ldap.user.member.attributes and ldap.group.member.attributes.

Nested group depth is limited to 3.

Oracle VDI also resolves Primary Group membership which is Active Directory specific. The attributes used for resolving primary group membership are defined in ldap.group.short.attributes and ldap.user.member.attributes.

4.14.4. LDAP Cache

In order to improve the performance and reduce the load on the user directory, the user and group entries retrieved by Oracle VDI are cached. Entries in the LDAP cache time out after 10 minutes.

It is not possible, at the moment, to change the LDAP cache timeout, nor to flush the cache.