Vivek Agarwal’s Portal/Java Blog

An IBM Gold Consultant’s weblog about IBM, Lotus, WebSphere, J2EE, IT Processes, and other IT technologies

User search filter for Active Directory user repository in WebSphere Portal

Posted by Vivek Agarwal on June 26, 2008

This is a very trivial entry for most people in the know, but not so trivial for others. If you are configuring WebSphere Portal to use either Active Directory or Active Directory Application Mode (ADAM) as the LDAP user registry, then it is critical to set up the user search filter correctly or else you are going to run into issues with users not being able to authenticate. We have a client for whom we are using ADAM wherein ADAM is used for the Portal LDAP and it syncs up with Active Directory. Well, my portal administrator who is working on that project ran into a problem with Portal users not being able to authenticate successfully.

This issue occurs for all users except for the initial test user who happened to have his cn set to the same value as his sAMAccountName. I took a look into the issue and very quickly it was apparent where the problem lay. Essentially, the LDAPUserFilter in was set to (&(cn=%v)(objectclass=user)) as is recommended for ADAM in the Info Center. However, what this implies is that users must specify their “common name” instead of their sAMAccountName to login – obviously not a good scenario. Instead, the LDAPUserFilter in should be set to (&(|(cn=%v)(samAccountName=%v))(objectclass=user)) to allow users to login using their sAMAccountName or their common name. This is correctly suggested as the user search filter for Active Directory in the InfoCenter.

10 Responses to “User search filter for Active Directory user repository in WebSphere Portal”

  1. I’m having the same issue, but my filter is as you recommend. I have checked wmm.xml and security.xml and everything seems fine. Do you have any idea what could be other causes for this?

  2. Jose Badeau said

    I have a question about the group filter.

    I have configured WPS to authenticate with SUN LDAP. I used the GUI wizard to configure security and everything works fine. However, I would like it that users must login using their email rather then their uid. I edited the following properties in the file:


    My question is: I want that users can only log in with their email but that WCM or any other portal LDAP authentication can use the mail or the uid attributes. How can I configure this?

    Would the user filter look something like this?


  3. Daniel Alves said


    I am trying to configure Lotus Quickr 8.5 for WebSphere to use the Active Directory 2008. If I do it without the search filters, it works, but I cannot log with the sAMAccountName. And if I use this filter: (&(|(cn=%v)(samAccountName=%v))(objectclass=user)) then the wizard finishes with erros and I cannot log with any login.

    I did a ldapsearch using LDAP Browser with this filter and it didn’t bring neither the containers nor the OU’s where are people who will log on Quickr. Then I did it again using this filter: (|(|(cn=*)(ou=*)(sAMAccountName=*))(objectclass=users)) and the LDAP Browser showed the information, but when run the wizard I got no errors, but I can’t log with my sAMAccountName yet.

    Before I used the first filter in a Lotus Quickr 8 deployment using an Active Directory 2003 and it works perfectly.

    Can you help, please? Do you know what could be happening?

    Thanks in advance

    Daniel Alves

  4. lll said


  5. See my blog for general information on LDAP, as well as specifics regarding search requests and filters.

  6. You’re so awesome! I do not suppose I’ve read anything like
    this before. So great to discover somebody with a few genuine thoughts on this
    issue. Really.. thank you for starting this up.
    This site is one thing that is required on the internet,
    someone with a little originality! Check out my website to get more info about car insurance in California, if you

  7. womens shoes said

    It’s really very difficult in this busy life to listen news on TV, so I only use the web for that reason, and obtain the latest information.

  8. My developer is trying to persuade me to move
    to .net from PHP. I have always disliked the idea
    because of the expenses. But he’s tryiong none the less. I’ve been using Movable-type on various websites for about a year and am nervous about switching to
    another platform. I have heard good things about blogengine.
    net. Is there a way I can transfer all my wordpress content into it?
    Any kind of help would be greatly appreciated!

  9. This is very interesting, You are an overly professional blogger. I have joined your feed and look forward to in quest of more of your wonderful post. Additionally, I’ve shared your website in my social networks

  10. Melvin said

    Hello just wanted to give you a quick heads up.

    The text in your content seem to be running off the
    screen in Safari. I’m not sure if this is a format issue or something to do with internet browser compatibility but I figured I’d post to let you
    know. The design look great though! Hope you get the problem fixed soon.

Sorry, the comment form is closed at this time.

%d bloggers like this: