Matching query fails to match corresponding user in Active Directory

  • 3027791
  • 08-Aug-2007
  • 26-Apr-2012


Novell Identity Manager 3.0
Novell Identity Manager 3.5
Novell Identity Manager Driver - Active Directory
Microsoft Windows 2003 Server - Enterprise Edition


A query performed to Active Directory searching for an existing user may fail for no obvious reason. No error is returned, but the expected user is not retrieved.
If the same search filter is used to perform the search with ldapsearch, the search retrieves the desired object succesfully.

The object has been created specifying a user type of"InetOrgPerson" instead of "User".


This behavior is working as designed. The class specified in the query is taken as a "base class" (in eDirectory terminology) or object type (in Active Directory terms) and not as a value for all entries in the Object Class.

InetOrgPerson is a class that was introduced with Windows 2003. It inherits from User, which means that every InetOrgPerson object will have the class User defined in one of its ObjectClass values. When doing an LDAP search with a filter specifying (objectClass=User) all values present in the objectClass attribute are evaluated and since User is part of the superclasses defined in ObjectClass, the object is correctly retrieved.

If all users that are being created and synchronized will be of class InetOrgPerson, then you can simply map the eDirectory User class to the class InetOrgPerson in Active Directory.
If both classes will be used, the situation will need to be handled through Policy Builder to take in consideration the different scenarios.