Search code examples
active-directorycoldfusion

Lucee LDAP not returning results when searching for SN (Surname)

I have this code which will return a result correctly

<cfldap server="ad.domain.com"
    action="query"
    name="qryResults"
    start="DC=ad,DC=domain,DC=com"
    filter="mail=#form.searchterm#"
    username="#application.ldapUsername#"
    password="#application.ldapPassword#"
    attributes="cn,sn,givenName,mail,st,l,ou,sAMAccountName"
/>

but this will not:

<cfldap server="ad.domain.com"
    action="query"
    name="qryResults"
    start="DC=ad,DC=domain,DC=com"
    filter="SN=#form.searchterm#"
    username="#application.ldapUsername#"
    password="#application.ldapPassword#"
    attributes="cn,sn,givenName,mail,st,l,ou,sAMAccountName"
/>

What am I missing so I can search by the Active Directory SN attribute?

Bonus points for for how to search Active Directory when the first and last name are known:

<cfldap server="ad.domain.com"
    action="query"
    name="qryResults"
    start="DC=ad,DC=domain,DC=com"
    filter="givenname=#form.givenname#;SN=#form.searchterm#"
    username="#application.ldapUsername#"
    password="#application.ldapPassword#"
    attributes="cn,sn,givenName,mail,st,l,ou,sAMAccountName"
/>
Solution

  • src: http://www.rlmueller.net/AmbiguousNameResolution.htm

    Where "|" is the "OR" operator and "*" is the wildcard character. Better yet, suppose you know the person's name is "Jim Smith". You can use the filter:

    (anr=Jim Smith)

    Now Active Directory will search for objects where any of the naming attributes matches "Jim Smith*", plus any objects where (givenName=Jim*) and (sn=Smith*), plus any objects where (givenName=Smith*) and (sn=Jim*). The algorithm considers only the first space in the string when breaking it up into two values. For example the filter:

    (anr=Jim Smith Williams)

    This will query for objects where any of the naming attributes matches "Jim Smith Williams*", plus objects where (givenName=Jim*) and (sn=Smith Williams*), or where (givenName=Smith Williams*) and (sn=Jim*).

    When the anr syntax is applied, it does exactly what I need and I don't have to do any fancy parsing of the user data (e.g. looping over spaces in the name, searching for an @ sign, etc).

    UPDATE: Ambiguous Name Resolution (ANR) is an efficient search algorithm in Active Directory that allows you to specify complex filters involving multiple naming-related attributes in a single clause. It can be used to locate objects in Active Directory when you know something about the name of the object, but not necessarily which naming attribute has the information. While ANR is usually used to locate user objects, it can be used to find any class of object in Active Directory. SOURCE: https://social.technet.microsoft.com/wiki/contents/articles/22653.active-directory-ambiguous-name-resolution.aspx