Oracle VDI uses various LDAP filters and attribute lists to look up and interpret the data stored in a user directory.
This section explains how the LDAP filters and attributes are used by Oracle VDI to perform the different searches in the user directory necessary for each task.
See Section C.1, “How to Edit LDAP Filters and Attributes” for details about how to edit those filters.
You can use the administration tools ( Oracle VDI Manager or CLI) to search for users and groups, in order to assign them to desktops or pools.
The search logic works as follows:
Users are searched first:
the filter used to search for users is:
(
.
&ldap.user.object.filter
ldap.user.search.filter
)
the $SEARCH_STRING
placeholder is
replaced by *criteria*
where criteria
is the string typed in the Oracle VDI Manager search field. If
the criteria string already contains a wild-card "*",
then the $SEARCH_STRING
placeholder
is simply replaced by criteria
.
Groups are then searched as follow:
the filter used to search for users is:
(
.
&ldap.group.object.filter
ldap.group.search.filter
)
the $SEARCH_STRING
placeholder is
replaced by *criteria*
where criteria
is the string typed in the Oracle VDI Manager search field. If
the criteria string already contains a wild-card "*",
then the $SEARCH_STRING
placeholder
is simply replaced by criteria
.
If the global setting ldap.search.wildcard
is
set to disabled, the $SEARCH_STRING
placeholder is replaced by criteria
(without
being surrounded by the wildcards). This restricts the returned
results to strictly match the typed string but it is useful with
very large and distributed user directories where the search
using the wildcards takes too long to return.
Wildcards are added by default as the default value for
ldap.search.wildcard
is enabled.
When requesting a desktop for a user, Oracle VDI first needs to find the user DN that matches the user ID before resolving the pool and desktop assignments for the user DN. If client authentication is enabled, then the user ID attribute is also used for authentication.
The attributes used to match the user ID are defined in
ldap.userid.attributes
.
Group membership is resolved using the attributes defined in
ldap.user.member.attributes
and
ldap.group.member.attributes
.
Nested group depth is limited to 3.
Oracle VDI also resolves Primary Group membership
which is Active Directory specific. The attributes used for
resolving primary group membership are defined in
ldap.group.short.attributes
and
ldap.user.member.attributes
.
In order to improve the performance and reduce the load on the user directory, the user and group entries retrieved by Oracle VDI are cached. Entries in the LDAP cache time out after 10 minutes.
It is not possible, at the moment, to change the LDAP cache timeout, nor to flush the cache.