Mapping kerberos principal to ldap connector
Douglas E Engert
deengert at gmail.com
Mon Nov 24 13:13:40 EST 2014
On 11/24/2014 9:24 AM, Morris, Andi wrote:
> Hi all,
>
> Kerberos authentication is now working well, and transparently through RemoteUser.
>
> However I’ve now come to try to map some attributes to send and I’m using https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler+-+Attribute+resolver to do this within
> attribute-resolver.xml.
>
> Modifying this for my own environment I have:
>
> ------------------------------------------------------------------------------------------------------------------------------
>
> <resolver:AttributeDefinition id="principalName"
>
> xsi:type="ad:PrincipalName"
>
> dependencyOnly="true">
>
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition id="krb_principalname"
>
> xsi:type="ad:Mapped"
>
> sourceAttributeID="principalName"
>
> dependencyOnly="true" >
>
> <resolver:Dependency ref="principalName" />
>
> <ad:ValueMap>
>
> <ad:ReturnValue>$1</ad:ReturnValue>
>
> <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
>
> </ad:ValueMap>
>
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition id="krb_domain"
>
> xsi:type="ad:Mapped"
>
> sourceAttributeID="principalName"
>
> dependencyOnly="true" >
>
> <resolver:Dependency ref="principalName" />
>
> <ad:ValueMap>
>
> <ad:ReturnValue>internal.uwic.ac.uk</ad:ReturnValue>
>
> <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
>
> </ad:ValueMap>
>
> </resolver:AttributeDefinition>
>
> <resolver:DataConnector id="myLDAP"
>
> xsi:type="dc:LDAPDirectory"
>
> ldapURL="ldap://ldap.internal.domain.ac.uk"
>
> baseDN="ou=User Accounts,dc=internal,dc=domain,dc=ac,dc=uk"
>
> principal="shib at internal.domain.ac.uk <mailto:shib at internal.domain.ac.uk>"
>
> principalCredential="password">
>
> <resolver:Dependency ref="krb_principalname" />
>
> <resolver:Dependency ref="krb_domain" />
>
> <dc:FilterTemplate>
>
> <!--
>
> (mail=$requestContext.principalName) - matches UsernamePassword Principal
>
> &(samaccountname=${})(msSFU30NisDomain=${}) - matches Kerberos Principal
>
> -->
>
> <![CDATA[
>
> (&(|(mail=$requestContext.principalName)(&(samaccountname=${krb_principalname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectclass=user))
>
> ]]>
>
> </dc:FilterTemplate>
>
> <dc:LDAPProperty name="java.naming.referral" value="follow"/>
>
> </resolver:DataConnector>
Wow, that is a weird example they have, expecting the msSFU30NisDomain to match the krb_realm.
If AD is acting as the KDC, then the Kerberos realm name is the uppercase of the AD domain name.
(Kerberos protocols and applications are case sensitive, AD is not, so this can cause confusion too.)
In general you can search for <sAMAccountName>@<AD-DOMAIN-NAME>.
userPrincipalName at one time could be used, but AD overloaded it, for smart card/certificate use as subjectAltName:msUPN.)
It might work in your environment, if the AD admins have populated msSFU30BisDomain, and have turned on SFU.
Also in general, there is no guarantee that the mail attribute will match the kerberos principal name.
One way to see what gets returned is use the Unix ldapsearch command to see what LDAP returns.
A lot of the msDS attributes are not returned by AD by default. Not sure if msSFU30NisDomain is.
Best bet is to list the attributes you want returnedsomething like:
<dc:ReturnAttributes>
sAMAccountName sn givenName displayName mail cn entryDN userPrincipalName
</dc:ReturnAttributes>
>
> ------------------------------------------------------------------------------------------------------------------------
>
> Debug output shows:
>
> ----------------------------------------------------------------------------------------------------------------------
>
> 15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:478] - Resolving attributes for principal 'username at INTERNAL.DOMAIN.AC.UK' for SAML request from
> relying party 'https://sp.testshib.org/shibboleth-sp'
>
> 15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver resolving attributes for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal username at INTERNAL.DOMAIN.AC.UK
> <mailto:username at INTERNAL.DOMAIN.AC.UK> were not requested, resolving all attributes.
>
> 15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute eduPersonScopedAffiliation for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:354] - Resolving data connector myLDAP for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute krb_principalname for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute principalName for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
>
> 15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.MappedAttributeDefinition:97] - Attribute Definition krb_principalname: mapping
> depdenency attribute value username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
>
> 15:05:25.105 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:99] - Performing regular expression based comparison
>
> 15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular
> expression it will be mapped to 'username'
>
> 15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.MappedAttributeDefinition:119] - Attribute Definition krb_principalname: mapped
> depdenency attribute value username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK> to the values [username]
>
> 15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_principalname containing 1 values
>
> 15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute krb_domain for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
>
> 15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.MappedAttributeDefinition:97] - Attribute Definition krb_domain: mapping depdenency
> attribute value username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
>
> 15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:99] - Performing regular expression based comparison
>
> 15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular
> expression it will be mapped to 'internal.DOMAIN.ac.uk'
>
> 15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.MappedAttributeDefinition:119] - Attribute Definition krb_DOMAIN: mapped depdenency
> attribute value username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK> to the values [internal.DOMAIN.ac.uk]
>
> 15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN containing 1 values
>
> 15:05:25.109 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter:
> (&(|(mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=username)(msSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))
> <mailto:mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=username)(msSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))>
>
> 15:05:25.109 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:363] - LDAP data connector myLDAP - Retrieving attributes from LDAP
>
> 15:05:30.118 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute eduPersonScopedAffiliation containing 0 values
>
> 15:05:30.118 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute transientId for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:97] - Building transient ID for request
> _75254f2685bd3e67f7856ebaf4b93743; outbound message issuer: https://idp.dev.cardiffmet.ac.uk/idp/shibboleth, inbound message issuer: https://sp.testshib.org/shibboleth-sp, principal identifer:
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:115] - Created transient ID
> _5f54a61906da93f401e5905676bf8874 for request _75254f2685bd3e67f7856ebaf4b93743
>
> 15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute transientId containing 1 values
>
> 15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute eduPersonTargetedID for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:354] - Resolving data connector computedID for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
>
> 15:05:30.120 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_principalname containing 1 values
>
> 15:05:30.120 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
>
> 15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN containing 1 values
>
> 15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.ComputedIDDataConnector:121] - Source attribute sAMAccountName for connector computedID
> provide no values
Looks like SAMAccountName was not returned... See above.
>
> 15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute eduPersonTargetedID containing 0 values
>
> 15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
>
> 15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_principalname containing 1 values
>
> 15:05:30.122 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute eduPersonPrincipalName for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.122 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
>
> 15:05:30.122 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_principalname containing 1 values
>
> 15:05:30.122 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
>
> 15:05:30.126 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN containing 1 values
>
> 15:05:30.126 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute eduPersonPrincipalName containing 0 values
>
> 15:05:30.127 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
>
> 15:05:30.129 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
>
> 15:05:30.129 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN containing 1 values
>
> 15:05:30.129 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonScopedAffiliation from resolution result for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
>
> 15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute transientId has 1 values after post-processing
>
> 15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonTargetedID from resolution result for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
>
> 15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_principalname from resolution
> result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>
> 15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonPrincipalName from resolution result for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
>
> 15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute principalName from resolution result
> for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>
> 15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_DOMAIN from resolution result for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>
> 15:05:30.131 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver resolved, for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>, the attributes: [transientId]
>
> 15:05:30.131 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:71] - shibboleth.AttributeFilterEngine filtering 1 attributes for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.131 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseTransientIdToAnyone is active
> for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.132 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy releaseTransientIdToAnyone is active for principal
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.135 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute transientId for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.135 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseBasicAttributesToAnyone is
> active for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.135 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy releaseBasicAttributesToAnyone is active for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute
> eduPersonScopedAffiliation for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute eduPersonAffiliation
> for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute eduPersonTargetedID
> for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute transientId has 1 values after filtering
>
> 15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal username at INTERNAL.DOMAIN.AC.UK
> <mailto:username at INTERNAL.DOMAIN.AC.UK>. The following attributes remain: [transientId]
>
> 15:05:30.139 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505] - Creating attribute statement in response to SAML request
> '_75254f2685bd3e67f7856ebaf4b93743' from relying party 'https://sp.testshib.org/shibboleth-sp'
>
> 15:05:30.139 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was not encoded (filtered by query, or no
> SAML2AttributeEncoder attached).
>
> 15:05:30.139 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:129] - No attributes remained after encoding and filtering by value, no attribute
> statement built
>
> ------------------------------------------------------------------------------------------------------------------
>
> I can see that the krb_principalname and krb_domain get mapped to the correct parts of the principal, but I’m having trouble then passing that to the LDAP connector. I think it’s something up with the
> search filter.
>
> Can anybody please point me in the right direction here:
>
> Cheers,
>
> Andi
>
>
>
--
Douglas E. Engert <DEEngert at gmail.com>
More information about the users
mailing list