# Customizing the Search Filter for LDAP Authentication ## Prerequisites * Helm version 3 is installed on your system. * The Kubernetes command line tool kubectl is configured and has access to the target installation. * You know the name and namespace of your Connectware installation. See [Obtaining the name, namespace, and version of your Connectware installation](https://docs.cybus.io/2-0-2/documentation/connectware-helm-chart#obtaining-the-name-namespace-and-version-of-your-connectware-installation). * The `values.yaml` file is available. * [LDAP authentication configured](https://docs.cybus.io/2-0-2/documentation/connectware-on-kubernetes/ldap-authentication/configuring-ldap-authentication). ## Customizing the Search Filter for LDAP Authentication There are scenarios where it is useful to extend the default search filter of Connectware. For example: * your users are not uniquely identifiable by their username, for example when there are users with the same RDN within the search base of your LDAP configuration. * You have to give a search base that is very huge as your accounts a spread within the DIT but by filtering the search may be more efficient The filter that will be used by Connectware is (=) whereas `userRdn` is defined as environment variable in your `values.yml` and `username` is the name the user enters during login. Any extension will result in a filter of the current format: {% code lineNumbers="true" %} ```yaml (&(=)() ``` {% endcode %} Info: You could test the filter by performing request with `ldapsearch` on your terminal (may require additional packages to be installed) **Example** {% code lineNumbers="true" %} ```yaml ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=User 1)(objectclass=iNetOrgPerson))" ``` {% endcode %} **Example** In the following example, we have two entries with an RDN `cn=a.smith`. {% code lineNumbers="true" %} ```yaml dc=example,dc=org ├ cn=customers │ └ cn=a.smith └ cn=employees └ cn=a.smith ``` {% endcode %} Both users are named a.smith, but they are different entries. In a case like this you will use cn=employees,`dc=ecample,dc=org` as search base and will not not a problem. But lets use `dc=example,dc=org` in order to create a simple example case for the filter extension. We want to modify the filter in order to search only for entries that have `cn=employees` in their DN. The search command to test on the terminal will for the employee `a.smith` will look like this: {% code lineNumbers="true" %} ```yaml ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=a.smith)(cn:dn:=employee))" ``` {% endcode %} To modify Connectware, we only add the extension itself (`cn:dn:=employee`) to the configuration: {% code lineNumbers="true" %} ```yaml global: authentication: ldap: enabled: true existingBindSecret: my-ldap-user searchBase: CN=Users,DC=company,DC=tld searchFilter: cn:dn:=employees userRdn: cn url: ldap://my-dc.company.tld:389 ``` {% endcode %} Important: Be aware the no surrounding brackets are used for the additional expression. Brackets within your expression could be used, e.g. `&(objectClass=iNetOrgPerson)(cn:dn:=employees)`. **Related Links** * [Single Sign-On with LDAP](https://docs.cybus.io/2-0-2/documentation/user-management/single-sign-on-sso/single-sign-on-with-ldap). * [Configuring Connectware to use LDAP authentication](https://docs.cybus.io/2-0-2/documentation/connectware-on-kubernetes/ldap-authentication/configuring-ldap-authentication)