Support for additional search filter (MID-4925). Some cleanup.

052da6ea · Radovan Semancik · 64dc8033 · 052da6ea · 052da6ea · 052da6ea
Commit 052da6ea authored Oct 01, 2018 by Radovan Semancik
--- a/src/main/java/com/evolveum/polygon/connector/ldap/AbstractLdapConfiguration.java
+++ b/src/main/java/com/evolveum/polygon/connector/ldap/AbstractLdapConfiguration.java
@@ -359,6 +359,11 @@ public abstract class AbstractLdapConfiguration extends AbstractConfiguration {
     */
    private String runAsStrategy = RUN_AS_STRATEGY_NONE;

+    /**
+     * Search filter that will be added to all searche operations that the connector does.
+     */
+    private String additionalSearchFilter;
+    
    // TODO: failover, accountSynchronizationFilter
    // MAYBE TODO: respectResourcePasswordPolicyChangeAfterReset? filterWithOrInsteadOfAnd? 
    //			   removeLogEntryObjectClassFromFilter? synchronizePasswords? passwordAttributeToSynchronize?
@@ -723,6 +728,14 @@ public abstract class AbstractLdapConfiguration extends AbstractConfiguration {
 		this.runAsStrategy = runAsStrategy;
 	}
 	
+	@ConfigurationProperty(order = 41)
+	public String getAdditionalSearchFilter() {
+		return additionalSearchFilter;
+	}
+
+	public void setAdditionalSearchFilter(String additionalSearchFilter) {
+		this.additionalSearchFilter = additionalSearchFilter;
+	}

 	@Override
    public void validate() {

--- a/src/main/java/com/evolveum/polygon/connector/ldap/AbstractLdapConnector.java
+++ b/src/main/java/com/evolveum/polygon/connector/ldap/AbstractLdapConnector.java
@@ -470,31 +470,31 @@ public abstract class AbstractLdapConnector<C extends AbstractLdapConfiguration>
 	}

 	@Override
-	public void executeQuery(ObjectClass objectClass, Filter icfFilter, ResultsHandler handler, OperationOptions options) {
+	public void executeQuery(ObjectClass objectClass, Filter connIdFilter, ResultsHandler handler, OperationOptions options) {
 		prepareConnIdSchema();
 		org.apache.directory.api.ldap.model.schema.ObjectClass ldapObjectClass = getSchemaTranslator().toLdapObjectClass(objectClass);
 		
 		SearchStrategy<C> searchStrategy;
-		if (isEqualsFilter(icfFilter, Name.NAME)) {
+		if (isEqualsFilter(connIdFilter, Name.NAME)) {
 			// Search by __NAME__, which means DN. This translated to a base search.
-			searchStrategy = searchByDn(schemaTranslator.toDn(((EqualsFilter)icfFilter).getAttribute()),
+			searchStrategy = searchByDn(schemaTranslator.toDn(((EqualsFilter)connIdFilter).getAttribute()),
 					objectClass, ldapObjectClass, handler, options);
 			
-		} else if (isEqualsFilter(icfFilter, Uid.NAME)) {
+		} else if (isEqualsFilter(connIdFilter, Uid.NAME)) {
 			// Search by __UID__. Special case for performance.
-			searchStrategy = searchByUid((Uid)((EqualsFilter)icfFilter).getAttribute(),
+			searchStrategy = searchByUid((Uid)((EqualsFilter)connIdFilter).getAttribute(),
 					objectClass, ldapObjectClass, handler, options);
 				
-		} else if (isSecondaryIdentifierOrFilter(icfFilter)) {
+		} else if (isSecondaryIdentifierOrFilter(connIdFilter)) {
 			// Very special case. Search by DN or other secondary identifier value. It is used by IDMs to get object by 
 			// This is not supported by LDAP. But it can be quite common. Therefore we want to support it as a special
 			// case by executing two searches.
 			
-			searchStrategy = searchBySecondaryIdenfiers(icfFilter, objectClass, ldapObjectClass, handler, options);
+			searchStrategy = searchBySecondaryIdenfiers(connIdFilter, objectClass, ldapObjectClass, handler, options);
 			
 		} else {

-			searchStrategy = searchUsual(icfFilter, objectClass, ldapObjectClass, handler, options);
+			searchStrategy = searchUsual(connIdFilter, objectClass, ldapObjectClass, handler, options);
 			
 		}
 		

--- a/src/main/java/com/evolveum/polygon/connector/ldap/LdapUtil.java
+++ b/src/main/java/com/evolveum/polygon/connector/ldap/LdapUtil.java
@@ -61,6 +61,7 @@ import org.apache.directory.api.ldap.model.exception.LdapUnwillingToPerformExcep
 import org.apache.directory.api.ldap.model.filter.AndNode;
 import org.apache.directory.api.ldap.model.filter.EqualityNode;
 import org.apache.directory.api.ldap.model.filter.ExprNode;
+import org.apache.directory.api.ldap.model.filter.FilterParser;
 import org.apache.directory.api.ldap.model.filter.PresenceNode;
 import org.apache.directory.api.ldap.model.message.Control;
 import org.apache.directory.api.ldap.model.message.LdapResult;
@@ -410,6 +411,14 @@ public class LdapUtil {
 		Value ldapValue = schemaTranslator.toLdapIdentifierValue(ldapAttributeType, uidValue);
 		return new EqualityNode<>(ldapAttributeType, ldapValue);
 	}
+	
+	public static ExprNode parseSearchFilter(String stringFilter) {
+		try {
+			return FilterParser.parse(stringFilter);
+		} catch (ParseException e) {
+			throw new InvalidAttributeValueException(e.getMessage(), e);
+		}
+	}

 	public static String getUidValue(Entry entry, org.apache.directory.api.ldap.model.schema.ObjectClass ldapObjectClass,
 			AbstractLdapConfiguration configuration, AbstractSchemaTranslator schemaTranslator) {

--- a/src/main/java/com/evolveum/polygon/connector/ldap/schema/AbstractSchemaTranslator.java
+++ b/src/main/java/com/evolveum/polygon/connector/ldap/schema/AbstractSchemaTranslator.java
@@ -407,18 +407,17 @@ public abstract class AbstractSchemaTranslator<C extends AbstractLdapConfigurati
 	 * Throws exception if the attribute is illegal.
 	 * Return null if the attribute is legal, but we do not have any definition for it.
 	 */
-	public AttributeType toLdapAttribute(org.apache.directory.api.ldap.model.schema.ObjectClass ldapObjectClass,
-			String icfAttributeName) {
-		if (Name.NAME.equals(icfAttributeName)) {
+	public AttributeType toLdapAttribute(org.apache.directory.api.ldap.model.schema.ObjectClass ldapObjectClass, String connIdAttributeName) {
+		if (Name.NAME.equals(connIdAttributeName)) {
 			return null;
 		}
 		String ldapAttributeName;
-		if (Uid.NAME.equals(icfAttributeName)) {
+		if (Uid.NAME.equals(connIdAttributeName)) {
 			ldapAttributeName = configuration.getUidAttribute();
-		} else if (OperationalAttributeInfos.PASSWORD.is(icfAttributeName)) {
+		} else if (OperationalAttributeInfos.PASSWORD.is(connIdAttributeName)) {
 			ldapAttributeName = configuration.getPasswordAttribute();
 		} else {
-			ldapAttributeName = icfAttributeName;
+			ldapAttributeName = connIdAttributeName;
 		}
 		try {
 			AttributeType attributeType = schemaManager.lookupAttributeTypeRegistry(ldapAttributeName);
@@ -434,7 +433,7 @@ public abstract class AbstractSchemaTranslator<C extends AbstractLdapConfigurati
 				attributeType.setNames(ldapAttributeName);
 				return attributeType;
 			} else {
-				throw new IllegalArgumentException("Unknown LDAP attribute "+ldapAttributeName+" (translated from ICF attribute "+icfAttributeName+")", e);
+				throw new IllegalArgumentException("Unknown LDAP attribute "+ldapAttributeName+" (translated from ICF attribute "+connIdAttributeName+")", e);
 			}
 		}
 	}
@@ -563,44 +562,44 @@ public abstract class AbstractSchemaTranslator<C extends AbstractLdapConfigurati
 	}
 	
 	@SuppressWarnings({ "unchecked", "rawtypes" })
-	protected Value wrapInLdapValueClass(AttributeType ldapAttributeType, Object icfAttributeValue) {
+	protected Value wrapInLdapValueClass(AttributeType ldapAttributeType, Object connIdAttributeValue) {
 		String syntaxOid = ldapAttributeType.getSyntaxOid();
 		if (SchemaConstants.GENERALIZED_TIME_SYNTAX.equals(syntaxOid)) {
-			if (icfAttributeValue instanceof Long) {
+			if (connIdAttributeValue instanceof Long) {
 				try {
-					return new Value(ldapAttributeType, LdapUtil.toGeneralizedTime((Long)icfAttributeValue, acceptsFractionalGeneralizedTime()));
+					return new Value(ldapAttributeType, LdapUtil.toGeneralizedTime((Long)connIdAttributeValue, acceptsFractionalGeneralizedTime()));
 				} catch (LdapInvalidAttributeValueException e) {
 					throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": "+e.getMessage()
 						+"; attributeType="+ldapAttributeType, e);
 				}
-			} else if (icfAttributeValue instanceof ZonedDateTime) {
+			} else if (connIdAttributeValue instanceof ZonedDateTime) {
 				try {
-					return new Value(ldapAttributeType, LdapUtil.toGeneralizedTime((ZonedDateTime)icfAttributeValue, acceptsFractionalGeneralizedTime()));
+					return new Value(ldapAttributeType, LdapUtil.toGeneralizedTime((ZonedDateTime)connIdAttributeValue, acceptsFractionalGeneralizedTime()));
 				} catch (LdapInvalidAttributeValueException e) {
 					throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": "+e.getMessage()
 						+"; attributeType="+ldapAttributeType, e);
 				}
-			} else if (icfAttributeValue instanceof String) {
+			} else if (connIdAttributeValue instanceof String) {
 				try {
-						return new Value(ldapAttributeType, icfAttributeValue.toString());
+						return new Value(ldapAttributeType, connIdAttributeValue.toString());
 					} catch (LdapInvalidAttributeValueException e) {
 						throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": "+e.getMessage()
 								+"; attributeType="+ldapAttributeType, e);
 					}
 			} else {
-				throw new InvalidAttributeValueException("Wrong type for attribute "+ldapAttributeType+": "+icfAttributeValue.getClass());
+				throw new InvalidAttributeValueException("Wrong type for attribute "+ldapAttributeType+": "+connIdAttributeValue.getClass());
 			}
-		} else if (icfAttributeValue instanceof Boolean) {
+		} else if (connIdAttributeValue instanceof Boolean) {
 			LOG.ok("Converting to LDAP: {0} ({1}): boolean", ldapAttributeType.getName(), syntaxOid);
 			try {
-				return new Value(ldapAttributeType, icfAttributeValue.toString().toUpperCase());
+				return new Value(ldapAttributeType, connIdAttributeValue.toString().toUpperCase());
 			} catch (LdapInvalidAttributeValueException e) {
 				throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": "+e.getMessage()
 						+"; attributeType="+ldapAttributeType, e);
 			}
-		} else if (icfAttributeValue instanceof GuardedString) {
+		} else if (connIdAttributeValue instanceof GuardedString) {
 			try {
-				return new GuardedStringValue(ldapAttributeType, (GuardedString) icfAttributeValue);
+				return new GuardedStringValue(ldapAttributeType, (GuardedString) connIdAttributeValue);
 			} catch (LdapInvalidAttributeValueException e) {
 				throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": "+e.getMessage()
 						+"; attributeType="+ldapAttributeType, e);
@@ -608,16 +607,16 @@ public abstract class AbstractSchemaTranslator<C extends AbstractLdapConfigurati
 		} else if (isBinarySyntax(syntaxOid)) {
 			LOG.ok("Converting to LDAP: {0} ({1}): explicit binary", ldapAttributeType.getName(), syntaxOid);
 			
-			if (icfAttributeValue instanceof byte[]) {
+			if (connIdAttributeValue instanceof byte[]) {
 				// Do NOT set attributeType in the Value in this case.
 				// The attributeType might not match the Value class
 				// e.g. human-readable jpegPhoto attribute will expect StringValue
-				return new Value((byte[])icfAttributeValue);
-			} else if (icfAttributeValue instanceof String) {
+				return new Value((byte[])connIdAttributeValue);
+			} else if (connIdAttributeValue instanceof String) {
 				// this can happen for userPassword
 				byte[] bytes;
 				try {
-					bytes = ((String)icfAttributeValue).getBytes("UTF-8");
+					bytes = ((String)connIdAttributeValue).getBytes("UTF-8");
 				} catch (UnsupportedEncodingException e) {
 					throw new IllegalArgumentException("Cannot encode attribute value to UTF-8 for attribute "+ldapAttributeType.getName()+": "+e.getMessage()
 							+"; attributeType="+ldapAttributeType, e);
@@ -627,22 +626,22 @@ public abstract class AbstractSchemaTranslator<C extends AbstractLdapConfigurati
 				// e.g. human-readable jpegPhoto attribute will expect StringValue
 				return new Value(bytes);
 			} else {
-				throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": expected byte[] but got "+icfAttributeValue.getClass()
+				throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": expected byte[] but got "+connIdAttributeValue.getClass()
 						+"; attributeType="+ldapAttributeType);
 			}
-		} else if (!isBinaryAttribute(syntaxOid)) {
+		} else if (!isBinarySyntax(syntaxOid)) {
 			LOG.ok("Converting to LDAP: {0} ({1}): explicit string", ldapAttributeType.getName(), syntaxOid);
 			try {
-				return new Value(ldapAttributeType, icfAttributeValue.toString());
+				return new Value(ldapAttributeType, connIdAttributeValue.toString());
 			} catch (LdapInvalidAttributeValueException e) {
 				throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": "+e.getMessage()
 						+"; attributeType="+ldapAttributeType, e);
 			}
 		} else {
-			if (icfAttributeValue instanceof byte[]) {
+			if (connIdAttributeValue instanceof byte[]) {
 				LOG.ok("Converting to LDAP: {0} ({1}): detected binary", ldapAttributeType.getName(), syntaxOid);
 				try {
-					return new Value(ldapAttributeType, (byte[])icfAttributeValue);
+					return new Value(ldapAttributeType, (byte[])connIdAttributeValue);
 				} catch (LdapInvalidAttributeValueException e) {
 					throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": "+e.getMessage()
 							+"; attributeType="+ldapAttributeType, e);
@@ -650,7 +649,7 @@ public abstract class AbstractSchemaTranslator<C extends AbstractLdapConfigurati
 			} else {
 				LOG.ok("Converting to LDAP: {0} ({1}): detected string", ldapAttributeType.getName(), syntaxOid);
 				try {
-					return new Value(ldapAttributeType, icfAttributeValue.toString());
+					return new Value(ldapAttributeType, connIdAttributeValue.toString());
 				} catch (LdapInvalidAttributeValueException e) {
 					throw new IllegalArgumentException("Invalid value for attribute "+ldapAttributeType.getName()+": "+e.getMessage()
 							+"; attributeType="+ldapAttributeType, e);

--- a/src/main/java/com/evolveum/polygon/connector/ldap/schema/LdapFilterTranslator.java
+++ b/src/main/java/com/evolveum/polygon/connector/ldap/schema/LdapFilterTranslator.java
@@ -54,6 +54,7 @@ import org.identityconnectors.framework.common.objects.filter.StartsWithFilter;

 import com.evolveum.polygon.common.SchemaUtil;
 import com.evolveum.polygon.connector.ldap.AbstractLdapConfiguration;
+import com.evolveum.polygon.connector.ldap.LdapUtil;

 /**
 * @author Radovan Semancik
@@ -73,39 +74,25 @@ public class LdapFilterTranslator<C extends AbstractLdapConfiguration> {
 	/**
 	 * Translate filter, also add AND statement for objectClass.
 	 */
-	public ScopedFilter translate(Filter icfFilter, ObjectClass ldapObjectClass) {
-		ScopedFilter plainScopedFilter = translate(icfFilter);
-		EqualityNode<String> objectClassEqFilter = createObjectClassEqFilter(ldapObjectClass);
-		if (plainScopedFilter == null) {
-			return new ScopedFilter(objectClassEqFilter);
-		}
-		ExprNode plainFilter = plainScopedFilter.getFilter();
-		if (plainFilter == null) {
-			return new ScopedFilter(objectClassEqFilter, plainScopedFilter.getBaseDn());
-		}
-		if (plainFilter instanceof AndNode) {
-			((AndNode)plainFilter).addNode(objectClassEqFilter);
+	public ScopedFilter translate(Filter connIdFilter, ObjectClass ldapObjectClass) {
+		ScopedFilter plainScopedFilter = translate(connIdFilter);
+		if (plainScopedFilter != null) {
 			return plainScopedFilter;
 		} else {
-			return new ScopedFilter(new AndNode(objectClassEqFilter, plainFilter), plainScopedFilter.getBaseDn()); 
+			return new ScopedFilter(LdapUtil.createObjectClassFilter(ldapObjectClass));
 		}
 	}
 	
-	private EqualityNode<String> createObjectClassEqFilter(ObjectClass ldapObjectClass) {
-		return new EqualityNode<String>(SchemaConstants.OBJECT_CLASS_AT, ldapObjectClass.getName());
-	}
-
-
-	public ScopedFilter translate(AndFilter icfFilter) {
-        if (icfFilter == null) {
+	public ScopedFilter translate(AndFilter connIdFilter) {
+        if (connIdFilter == null) {
            return null;
        }
        
-        Collection<Filter> icfSubfilters = icfFilter.getFilters();
-        List<ExprNode> subNodes = new ArrayList<ExprNode>(icfSubfilters.size());
+        Collection<Filter> connIdSubfilters = connIdFilter.getFilters();
+        List<ExprNode> subNodes = new ArrayList<ExprNode>(connIdSubfilters.size());
        Dn baseDn = null;
        
-        for (Filter icfSubFilter: icfSubfilters) {
+        for (Filter icfSubFilter: connIdSubfilters) {
            ScopedFilter subNode = translate(icfSubFilter);
            
            if (subNode.getBaseDn() != null) {
@@ -125,16 +112,16 @@ public class LdapFilterTranslator<C extends AbstractLdapConfiguration> {
 	}


-    public ScopedFilter translate(OrFilter icfFilter) {
-        if (icfFilter == null) {
+    public ScopedFilter translate(OrFilter connIdFilter) {
+        if (connIdFilter == null) {
            return null;
        }
        
-        Collection<Filter> icfSubfilters = icfFilter.getFilters();
-        List<ExprNode> subNodes = new ArrayList<ExprNode>(icfSubfilters.size());
+        Collection<Filter> connIdSubfilters = connIdFilter.getFilters();
+        List<ExprNode> subNodes = new ArrayList<ExprNode>(connIdSubfilters.size());
        
-        for (Filter icfSubFilter: icfSubfilters) {
-            ScopedFilter subNode = translate(icfSubFilter);
+        for (Filter connIdSubFilter: connIdSubfilters) {
+            ScopedFilter subNode = translate(connIdSubFilter);
            
            if (subNode.getBaseDn() != null) {
                throw new InvalidAttributeValueException("Filter for __NAME__ cannot be used in OR clauses");
@@ -147,13 +134,13 @@ public class LdapFilterTranslator<C extends AbstractLdapConfiguration> {
    }


-    public ScopedFilter translate(NotFilter icfFilter) {
-        if (icfFilter == null) {
+    public ScopedFilter translate(NotFilter connIdFilter) {
+        if (connIdFilter == null) {
            return null;
        }
        
-        Filter icfSubfilter = icfFilter.getFilter();
-        ScopedFilter subNode = translate(icfSubfilter);
+        Filter connIdSubfilter = connIdFilter.getFilter();
+        ScopedFilter subNode = translate(connIdSubfilter);
        
        if (subNode.getBaseDn() != null) {
            throw new InvalidAttributeValueException("Filter for __NAME__ cannot be used in NOT clauses");
@@ -163,22 +150,22 @@ public class LdapFilterTranslator<C extends AbstractLdapConfiguration> {
    }


-    public ScopedFilter translate(ContainsAllValuesFilter icfFilter) {
-        if (icfFilter == null) {
+    public ScopedFilter translate(ContainsAllValuesFilter connIdFilter) {
+        if (connIdFilter == null) {
            return null;
        }
        
-        Attribute icfAttribute = icfFilter.getAttribute();
-        String icfAttributeName = icfAttribute.getName();
-        List<Object> icfAttributeValue = icfAttribute.getValue();
+        Attribute connIdAttribute = connIdFilter.getAttribute();
+        String connIdAttributeName = connIdAttribute.getName();
+        List<Object> connIdAttributeValue = connIdAttribute.getValue();
        
-        if (Name.NAME.equals(icfAttributeName)) {
-            Dn dn = schemaTranslator.toDn(icfAttribute);
+        if (Name.NAME.equals(connIdAttributeName)) {
+            Dn dn = schemaTranslator.toDn(connIdAttribute);
            return new ScopedFilter(dn);
        }
        
-        AttributeType ldapAttributeType = schemaTranslator.toLdapAttribute(ldapObjectClass, icfAttributeName);
-        List<Value> ldapValues = schemaTranslator.toLdapValues(ldapAttributeType, icfAttributeValue);
+        AttributeType ldapAttributeType = schemaTranslator.toLdapAttribute(ldapObjectClass, connIdAttributeName);
+        List<Value> ldapValues = schemaTranslator.toLdapValues(ldapAttributeType, connIdAttributeValue);
        
        if (ldapValues == null || ldapValues.isEmpty()) {
            throw new IllegalArgumentException("Does it make sense to have empty ContainsAllValuesFilter?");
@@ -219,20 +206,20 @@ public class LdapFilterTranslator<C extends AbstractLdapConfiguration> {
    }


-    public ScopedFilter translate(EqualsFilter icfFilter) {
-        if (icfFilter == null) {
+    public ScopedFilter translate(EqualsFilter connIdFilter) {
+        if (connIdFilter == null) {
            return null;
        }
        
-        Attribute icfAttribute = icfFilter.getAttribute();
-        String icfAttributeName = icfAttribute.getName();
+        Attribute connIdAttribute = connIdFilter.getAttribute();
+        String connIdAttributeName = connIdAttribute.getName();
        
-        if (Name.NAME.equals(icfAttributeName)) {
+        if (Name.NAME.equals(connIdAttributeName)) {
            throw new IllegalArgumentException("Cannot use wildcard filter on DN (__NAME__)");
        }
        
-        AttributeType ldapAttributeType = schemaTranslator.toLdapAttribute(ldapObjectClass, icfAttributeName);
-        String pattern = SchemaUtil.getSingleStringNonBlankValue(icfAttribute);
+        AttributeType ldapAttributeType = schemaTranslator.toLdapAttribute(ldapObjectClass, connIdAttributeName);
+        String pattern = SchemaUtil.getSingleStringNonBlankValue(connIdAttribute);
        
        return new ScopedFilter(new SubstringNode(ldapAttributeType, pattern, null));
    }
@@ -346,8 +333,8 @@ public class LdapFilterTranslator<C extends AbstractLdapConfiguration> {
    }

    
-	public ScopedFilter translate(Filter icfFilter) {
-		if (icfFilter == null) {
+	public ScopedFilter translate(Filter connIdFilter) {
+		if (connIdFilter == null) {
 			return null;
 		}
 		
@@ -355,53 +342,53 @@ public class LdapFilterTranslator<C extends AbstractLdapConfiguration> {
 		// it is unlikely that they will appear every day. Therefore we do not need
 		// any OO magic here. And this is still quite readable.
 		
-		if (icfFilter instanceof AndFilter) {
-			return translate((AndFilter)icfFilter);
-		} else if (icfFilter instanceof OrFilter) {
-            return translate((OrFilter)icfFilter);
-		} else if (icfFilter instanceof NotFilter) {
-            return translate((NotFilter)icfFilter);
-		} else if (icfFilter instanceof EqualsFilter) {
-			return translateEqualsFilter((EqualsFilter)icfFilter);
-		} else if (icfFilter instanceof ContainsAllValuesFilter) {
-            return translate((ContainsAllValuesFilter)icfFilter);
-		} else if (icfFilter instanceof ContainsFilter) {
-            return translate((ContainsFilter)icfFilter);
-		} else if ((icfFilter instanceof StartsWithFilter) || (icfFilter instanceof EndsWithFilter)) {
-            return translate((EqualsFilter)icfFilter);
-		} else if (icfFilter instanceof GreaterThanFilter) {			
-            return translate((GreaterThanFilter)icfFilter);
-		} else if (icfFilter instanceof GreaterThanOrEqualFilter) {
-            return translate((GreaterThanOrEqualFilter)icfFilter);
-		} else if (icfFilter instanceof LessThanFilter) {
-            return translate((LessThanFilter)icfFilter);
-		} else if (icfFilter instanceof LessThanOrEqualFilter) {
-            return translate((LessThanOrEqualFilter)icfFilter);
-		} else if (icfFilter instanceof ExternallyChainedFilter) {
-			return translate(((ExternallyChainedFilter)icfFilter).getFilter());
+		if (connIdFilter instanceof AndFilter) {
+			return translate((AndFilter)connIdFilter);
+		} else if (connIdFilter instanceof OrFilter) {
+            return translate((OrFilter)connIdFilter);
+		} else if (connIdFilter instanceof NotFilter) {
+            return translate((NotFilter)connIdFilter);
+		} else if (connIdFilter instanceof EqualsFilter) {
+			return translateEqualsFilter((EqualsFilter)connIdFilter);
+		} else if (connIdFilter instanceof ContainsAllValuesFilter) {
+            return translate((ContainsAllValuesFilter)connIdFilter);
+		} else if (connIdFilter instanceof ContainsFilter) {
+            return translate((ContainsFilter)connIdFilter);
+		} else if ((connIdFilter instanceof StartsWithFilter) || (connIdFilter instanceof EndsWithFilter)) {
+            return translate((EqualsFilter)connIdFilter);
+		} else if (connIdFilter instanceof GreaterThanFilter) {			
+            return translate((GreaterThanFilter)connIdFilter);
+		} else if (connIdFilter instanceof GreaterThanOrEqualFilter) {
+            return translate((GreaterThanOrEqualFilter)connIdFilter);
+		} else if (connIdFilter instanceof LessThanFilter) {
+            return translate((LessThanFilter)connIdFilter);
+		} else if (connIdFilter instanceof LessThanOrEqualFilter) {
+            return translate((LessThanOrEqualFilter)connIdFilter);
+		} else if (connIdFilter instanceof ExternallyChainedFilter) {
+			return translate(((ExternallyChainedFilter)connIdFilter).getFilter());
 			
 		} else {
-			throw new IllegalArgumentException("Unknown filter "+icfFilter.getClass());
+			throw new IllegalArgumentException("Unknown filter "+connIdFilter.getClass());
 		}
 	}

-	protected ScopedFilter translateEqualsFilter(EqualsFilter icfFilter) {
-		Attribute icfAttribute = icfFilter.getAttribute();
-		String icfAttributeName = icfAttribute.getName();
-		List<Object> icfAttributeValue = icfAttribute.getValue();
-		if (Name.NAME.equals(icfAttributeName)) {
-			Dn dn = schemaTranslator.toDn(icfAttribute);
+	protected ScopedFilter translateEqualsFilter(EqualsFilter connIdFilter) {
+		Attribute connIdAttribute = connIdFilter.getAttribute();
+		String connIdAttributeName = connIdAttribute.getName();
+		List<Object> connIdAttributeValue = connIdAttribute.getValue();
+		if (Name.NAME.equals(connIdAttributeName)) {
+			Dn dn = schemaTranslator.toDn(connIdAttribute);
 			return new ScopedFilter(null, dn);
 		}
-		AttributeType ldapAttributeType = schemaTranslator.toLdapAttribute(ldapObjectClass, icfAttributeName);
+		AttributeType ldapAttributeType = schemaTranslator.toLdapAttribute(ldapObjectClass, connIdAttributeName);
 		Value ldapValue;
-		if (Uid.NAME.equals(icfAttributeName)) {
-			if (icfAttributeValue.size() != 1) {
-				throw new InvalidAttributeValueException("Expected single value for UID, but got " + icfAttributeValue);
+		if (Uid.NAME.equals(connIdAttributeName)) {
+			if (connIdAttributeValue.size() != 1) {
+				throw new InvalidAttributeValueException("Expected single value for UID, but got " + connIdAttributeValue);
 			}
-			ldapValue = schemaTranslator.toLdapIdentifierValue(ldapAttributeType, (String)icfAttributeValue.get(0));
+			ldapValue = schemaTranslator.toLdapIdentifierValue(ldapAttributeType, (String)connIdAttributeValue.get(0));
 		} else {
-			ldapValue = schemaTranslator.toLdapValue(ldapAttributeType, icfAttributeValue);
+			ldapValue = schemaTranslator.toLdapValue(ldapAttributeType, connIdAttributeValue);
 		}
 		return new ScopedFilter(new EqualityNode<Object>(ldapAttributeType, ldapValue));
 	}

--- a/src/main/java/com/evolveum/polygon/connector/ldap/search/SearchStrategy.java
+++ b/src/main/java/com/evolveum/polygon/connector/ldap/search/SearchStrategy.java
@@ -325,12 +325,16 @@ public abstract class SearchStrategy<C extends AbstractLdapConfiguration> {
 	
 	protected ExprNode preProcessSearchFilter(ExprNode filterNode) {
 		if (configuration.isIncludeObjectClassFilter() && !LdapUtil.containsObjectClassFilter(filterNode)) {
-			return LdapUtil.filterAnd(
+			filterNode = LdapUtil.filterAnd(
 					LdapUtil.createObjectClassFilter(ldapObjectClass),
 					filterNode);
-		} else {
-			return filterNode;
 		}
+		if (configuration.getAdditionalSearchFilter() != null) {
+			filterNode = LdapUtil.filterAnd(
+					filterNode,
+					LdapUtil.parseSearchFilter(configuration.getAdditionalSearchFilter()));
+		}
+		return filterNode;
 	}

 }