Develop Reference

Search specific value in specific field with Azure Search

I have my data in Azure Search. In my structure there are a lot of fields and I have to filter or search using two of them.
One is Type defined as Edm.String and the other one is memberOf defined as Collection(Edm.String).
Type has values like private:Text, memberOf has values like my.com/field/F001.
I want apply a filter:
filter=Type:'private:Text' AND memberOf:'my.com/field/F001'
as result I receive all records. I read Microsoft's documentation but I can't find a solution.
In my code I have
SearchParameters sp = new SearchParameters()
{
SearchMode = SearchMode.Any,
Skip = currentPage - 1,
IncludeTotalResultCount = true
};
if (!string.IsNullOrEmpty(searchQuery))
sp.Filter = searchQuery;
DocumentSearchResult<VuSearchData> result =
await client.Documents.SearchAsync<VuSearchData>(searchText, sp);
Thanks.

The syntax for filters is different than for full-text search. Filters use OData syntax. The subset of OData supported by Azure Search is documented here.
The filter you want to execute looks like this in OData syntax:
Type eq 'private:Text' and memberOf/any(m: m eq 'my.com/field/F001')
Note the use of any and a lambda expression since memberOf is a collection field.

Airflow AD/LDAP superuser_filter versus data_profiler_filter

I'm in the process of configuring my Admin access to Airflow but I'm confused about the difference between the superuser_filter and the data_profiler_filter.
If I do not set either of these two values then everyone on my AD/LDAP is able to log into Airflow and view/use all of the Admin features. This is the expected default behavior that's working.
If I only set the superuser_filter then Admin's can view the Admin button but only the Pools, Configuration, Users, Connections, and XComs features appear (Not the Variables feature).
If I only set the data_profiler_filter then Admin's can view the Admin button but only the Variables feature appears.
If I set both the superuser_filter and the data_profiler_filter (to the same admin group value
e.g.,
superuser_filter = memberOf=CN=ADMINTEAM,OU=SvcAccts,DC=us,DC=ae,DC=com
data_profiler_filter = memberOf=CN=ADMINTEAM,OU=SvcAccts,DC=us,DC=ae,DC=com) then no one in my AD/LDAP (including Admins) are able to view the Admin button; I'm wondering if this is because I need two separate distinct groups for these two filter's values and not one group value for both?
Can someone please help me distinguish these two values and how they should be set? Also, to expand on my comment in number four above the documentation uses two different group values for these two filters (airflow-super-user and airflow-data-profilers), does that mean you cannot use the same group value for the two filters? E.g., I have one Airflow Admin group (ADMINTEAM) and I'd like to be able to use it for both values if that's possible but that doesn't seem to work, it seems like it wants two different group values.
Airflow.cfg LDAP Configuration
[ldap]
# set a connection without encryption: uri = ldap://<your.ldap.server>:<port>
uri = ldap://123.456.789:123
user_filter = objectclass=*
# in case of Active Directory you would use: user_name_attr = sAMAccountName
user_name_attr = sAMAccountName
# group_member_attr should be set accordingly with *_filter
# eg :
# group_member_attr = groupMembership
# superuser_filter = groupMembership=CN=airflow-super-users...
superuser_filter = memberOf=CN=ADMINTEAM,OU=foo,DC=us,DC=bar,DC=com
data_profiler_filter = memberOf=CN=ADMINTEAM,OU=foo,DC=us,DC=bar,DC=com
group_member_attr = member
group_name_attr = CN
group_filter = objectclass=group
bind_user = CN=blah,OU=foo,DC=us,DC=bar,DC=com
bind_password = yahoo
basedn = DC=us,DC=bar,DC=com
# Set search_scope to one of them: BASE, LEVEL , SUBTREE
# Set search_scope to SUBTREE if using Active Directory, and not specifying an Organizational Unit
search_scope = SUBTREE

ADFS 3.0 Custom attribute in SAML token

I am setting up a relaying party trust (IDP) for an application a SP provides. Problem is that the SP requires a "customer ID" to be prefixed the username. E.g on-prem AD user john#company.com logges on and SP requires 001john#company.com to access the application.
How do i configure ADFS 3.0 to include the "customer id" in SAML token?
Error i receive now is: "The customer Id in the username john#company.com does not match the ones configued for the partner [001].
SP uses IBM FIM as federation solution.
Metadata is set up on both SP and IDP side.
Thanks.

You can append a string e.g.
c:[type == "http://someclaim"]
=> issue(type = "http://anotherclaim", value = "001" + c1.Value );
but there is not enough detail.
Do you always add "001" or does it vary?
Which claim do you want to alter?
Update
Have a normal LDAP rule that takes email and creates http://company.com/Temp1
(The dropdown is editable).
Then:
c:[type == "http://company.com/Temp1"]
=> issue(type = "http://company.com/Temp2", value = "001" + c.Value );
Then use a transform rule to transform http://company.com/Temp2 to NameID with a format of email.

Query AD Group to get Custom Attribute on it

I am trying to get a Custom Attribute of a Group in Custom Claim rule.
The problem is no matter what i do, it always queries against User.
Here is how my Custom Claim Rule looks like:
//Rule to get all the Groups user is part of:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);
//Rule to fetch url attribute that is on the Group.
c:[Type == "http://schemas.xmlsoap.org/claims/Group"]
=> add(store = "Active Directory", types = ("http://temp/urlsOnGroup"), query = ";url;{0}", param = c.Value);
When this executes, i see an error in the event log on AD FS Server which states that it is trying to find User with GroupName.
How do i specify this Rule so that the last query happens against the Group Name instead of User
Error Message:
Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException:
POLICY0018: Query ';url;{0}' to attribute store 'Active Directory' failed:
'POLICY3826: User name 'GroupName' in LDAP query ';url;GroupName' is not in the
required 'domain\user' format. POLICY3824: The LDAP query to the Active
Directory attribute store must have three parts separated by semicolons. The
first part is the LDAP query filter, the second part is a comma-separated list
of LDAP attribute names, and the third part is the user name in 'domain\user'
format.'. --->
Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.AttributeStoreQueryF
ormatException: POLICY3826: User name 'GroupName' in LDAP query ';url;GroupName'
is not in the required 'domain\user' format. POLICY3824: The LDAP query to the
Active Directory attribute store must have three parts separated by semicolons.
The first part is the LDAP query filter, the second part is a comma-separated
list of LDAP attribute names, and the third part is the user name in
'domain\user' format.
I want to avoid writing Custom Attribute Store if possible. I have already did that but i am trying to find native way to query agains AD Security Groups.

The required format is e.g.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ou"]
=> issue(store = "Active Directory", types = ("http://schemas.company.co.nz/claims/guid"), query = "(ou={0});objectGuid;domain\user", param = c.Value);
The "domain" needs to be the domain for ADFS. The "user" can be anything.
Note rule is free form so may have format errors but you get the idea!

Get users from Acctive Directory Group

I created an Active Directory domain name 'ADDOMAIN2' having a group name "CommonUsers" having 8 users. but when I do a Directory Search for users in group "CommonUsers" it returns zero result. hers is my code
DirectorySearcher searcher = new DirectorySearcher();
DirectoryEntry directoryEntry = new DirectoryEntry(string.Format("LDAP://{0}", "ADDOMAIN2"), "Administrator", "p#S$w0rd");
string dnPath = directoryEntry.Properties["distinguishedName"].Value.ToString();
// string path = string.Format("LDAP://{0}/{1}{2}", "ADDOMAIN2", "", dnPath);
string path = "LDAP://ADDOMAIN2/CN=CommonUsers,DC=ADDomain2,DC=ADDomain01,DC=WaveDomain";
directoryEntry.Path = path;
searcher.SearchRoot = directoryEntry;
searcher.Filter = "(&(objectCategory=person)(objectClass=user))";
SearchResultCollection rs = searcher.FindAll();
Any Idea what is wrong here?
Thanx

Try using some external LDAP browser (like the old and free version 2.6 of Softerra LDAP Browser) to check whether your query string is really pointing to the correct location.

DirectorySearcher is not used to find users inside a group. It's used to find objects under a base path. Since there is no user objects placed under your AD group object, you won't find anything.
In most cases, you can find the user objects in an AD group from its member attribute. Beware that AD group can contain either group or user. So, some of the entres there may be group. In some cases, the member attribute does not contain AD group nor AD user, it's containing a Foreign Security Principal. This happens if your user is coming from another forest. The primary group is also handled differently. Even "Domain User" is primary group of most of the users in AD, its member attribute doesn't contain anything at all. There are a lot other oddities that makes enumerating an AD group object really hard.
Fortunately, in .NET 3.5, Microsoft provides some useful classes in the framework to do the dirty work for you. Check out System.DirectoryServices.AccountManagement
To get some quick examples, you can check out this codeproject article
Your code should be something like this.
PrincipalContext context = new PrincipalContext(ContextType.Domain, "yourdomain.com");
GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "Domain Users");
foreach (Principal principal in groupPrincipal.GetMembers(false))
{
Console.Out.WriteLine(principal.DistinguishedName);
}
Console.In.ReadLine();