LDAP query result sorting -> Change the order of AD DCs found in the list

[Nick Dakoronias]

Hello Forum users,
We have a bank customer using an OEM Filenet (Workflow) application
performing
LDAP queries in Win2k AD schema to retrieve the list of Domain Controllers.

The user authentication for the OEM applicaton (FileNet) is actually carried
out via "Process Engine" and an LDAP query similar to:
ldapsearch -h 172.25.50.165 -d1 -b "cn=System,dc=s1p8,dc=bpm" -D
"cn=PEAdmin,cn=Users,dc=s1p8,dc=bpm" -w filenet -s sub
"objectClass=trustedDomain" > ldapsearchClass.txt

My question actualy refers on the sorting/indexing/filtering capabilities of
LDAP query results. The target is to find away to filter/Index/sort these
results, in terms of changing the order of found items (DCs) in the list.
For instance, it would be preferable for the query to give as a result only
domain controllers from the root domain and afterwards from the child. Such
manipulation could prevent failed authentications for registered users due
to -planned or accidental- changes in DC within AD Schema..

According to MSDN technical article at URL >
http://msdn2.microsoft.com/en-us/library/aa366990.aspx , the usage of the
LDAP_SERVER_SORT_OID control within an extended LDAP search function, could
assist in terms of instructing the server to sort the search results (i.e.
list of Domain Controllers) before returning it to the client application.

I assume this control flag should be integrated within OEM application code
by the application vendor, but there is not much information &
documentation about how to do that.

Is there another way to change the order of DCs (Domain Controllers), in
LDAP query results list? How this could be integrated to application
(FileNet) code?

-----------------------------------------------------------------------------------

P.S:

At this point, I can recall some basic index filters in LDAP server, as
listed in RFC 2254 at URL> http://www.rfc-editor.org/rfc/rfc2254.txt such
as: index default eq index cn eq,sub index sn eq,sub,approx index
uidNumber, but I am wondering if they could be used at all...

Any advise will be much appreciated.

Regards, Nick.

 

[Paul Bergson [MVP-DS]]

You could do a dns lookup of the root site

_tcp.Default-Site._sites.your_domain.com

Jorge Pinto has an excellent set of articles on the dclocator service
http://blogs.dirteam.com/blogs/jorg...r-process-in-w2k-w2k3-r2-and-w2k8-part-1.aspx
http://blogs.dirteam.com/blogs/jorg...r-process-in-w2k-w2k3-r2-and-w2k8-part-2.aspx
http://blogs.dirteam.com/blogs/jorg...r-process-in-w2k-w2k3-r2-and-w2k8-part-3.aspx

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Nick Dakoronias]

Dear Paul,
At first many thanks for your response.
Fyi, as root of the problem has been identified a software defect in the
authentication mechanism of Process Engine component of FileNet OEM
application.
As you may realize, your (and any other's) advise will assist us to overcome
the Process Engine problem with user authentication failure, if the first DC
in the list is
unavailable (down). The outcome of our discussions with FileNet &
application developers is to
find a way to "integrate" a command or script to the codestream that will
edit/change the
order of Domain Controllers (DCs) in LDAP query result list.

So, considering that my knowledge about LDAP is more theoritical than
practical,
I would appreciate if you could advise about the proper LDAP command/filter
that could be used as per scope above.

My appreciation in advance for your effort & support.
Regards, Nick.