OBJECT scope search in LDAP/AD attribute resolver

[brabec at ncsu.edu]

I have a running IdP 3.3.3 setup with an attribute resolver 
data connector that uses LDAP to search Active Directory.
Attribute resolution is working fine where I'm doing something like

    baseDN = ou=People,dc=blah,...
    searchFilter = (cn=$requestContext.principalName)

The problem that I have is one of the attributes that I want 
requires an OBJECT-scope search. In AD terms:
searchFlags: fBASEONLY - Specifies that the attribute is not to be
returned by search operations that are not scoped to a single object.

I've added the following to my DataConnector. The extra attribute that
I want is optional, so it needs to be explicitly requested.

    <ReturnAttributes>* msds-memberOfTransitive</ReturnAttributes>

1. This returns an AD error on the query because of fBASEONLY
    baseDN = ou=People,dc=blah,...
    searchFilter = (cn=$requestContext.principalName)
    searchScope="SUBTREE" 

2. This does too
    baseDN = ou=People,dc=blah,...
    searchFilter = (cn=$requestContext.principalName)
    searchScope="ONELEVEL" 

3. This returns 0 results
    baseDN = ou=People,dc=blah,...
    searchFilter = (cn=$requestContext.principalName)
    searchScope="OBJECT" 

4. This works, because I've hard-coded my user into the baseDN:
    baseDN = cn=userid,ou=People,dc=blah,...
    searchFilter = (cn=*)
    searchScope="OBJECT" 

It appears that I need to find a way to get the velocity variable
$requestContext.principalName into my baseDN before I can do this search
generally. 

Has anyone tried this sort of query that they could share some examples?

Thanks,
Charles

-- 
Charles J. Brabec - brabec at ncsu.edu       

All electronic mail messages in connection with State business which are
sent to or received by this account are subject to the NC Public Records Law
and may be disclosed to third parties.