IDM 3.0.1 Notes Driver Workaround Rule

  • 3275754
  • 11-Apr-2007
  • 26-Apr-2012


Novell Identity Manager Driver- Lotus Notes Driver


By default, the NotesDriverShim no longer handles asterisks (*) as wild cards within query documents when searching for classes or attribute values.
The NotesDriverShim v2.2.3 implemented a fix for defect 147750 that caused all search strings to be handled literally, and therefore allow search strings containing special characters to not have to be 'escaped' according to Lotus Script formula language @Matches function rules. This fix does not allow the asterisk character to pass through to Domino by default.

An unfortunate side effect of the 147750 fix is when users select the Notes Driver's "Migrate into Identity Vault" button (wizard) and then fill in the prompts to migrate for all Notes users with Surname of "A*" (for example) into eDirectory, the initial query fails because the "A*" is interpreted literally instead of as a search for all Surnames that start with the letter 'A'.

The asterisk is no longer considered a wild card because the search-attr value is automatically converted from 'A*' to 'A\\*' before it is submitted to the @Matches ) function.


Inasmuchthe asterisk character seems to be somewhat of a universalwild cardcharacter at least for Domino and LDAP, it seems fitting that thischaracter beallowed by default to pass through to the Domino system.

Lotus Script formula language allows for the following specialcharacters whenusing the @Matches function/command: '\','?', '*', '&', '!', '|', '+','{','}', and the double quote character '"' must also be handled as aspecial caseso that passed strings are not inappropriately truncated.
A problemoccurswhen any of these characters occur within the text that is soughtwithin astring. For example, if you want to search for a company name of"Johnson &Johnson" in a particular field, then the'&' symbol needs to be escapedwhenusing the @Matches function (the @Matches function is utilized by theNotesDriverShim query processor to satisfy requests). Sothe querystring would need to be passed as "Johnson \\& Johnson". Understandingthis setof special characters and how to appropriately escape queries issued toaDomino System is somewhat unintuitive when considering IDM queries canbeissued from locations far removed from a Notes Client....such as IDMs"Migrate into Identity Vault" wizard.

As such, with IDM 3.0.1, the NotesDriverShim (v2.2.3) query processorwasadjusted (defect#147750) in an attempt to accommodate all thesespecialcharacters during searches in a 'literal' fashion (by appropriatelyescapingthem automatically). This was done at the request of Notes Driverusersexperiencing 'empty' query results when their searches included thesespecialcharacters. The ability for the NotesDriverShim to detect and utilizean XMLmatch-syntax attribute was also added for obvious backwardcompatibilityreasons needed by the NotesDriverShim.

After a cursory look at the LDAP filter specification, we believe onlyanasterisk '*' can be used as a special wild card character for an LDAPsearch. Assuch, and due to its universal nature, we believe the asterisk shouldprobablybe allowed to pass through the NotesDriverShim as a wild card character.

Currently, the workaround option for the problem would be to insert apolicy inthe Output Transformation policy chain that inserted the'match-syntax="true"'attribute when search-attr values contained asterisks (*).


Allow search-class asterisk wild card
Allow all search-attr value asteriskwild cards