--On Tuesday, December 20, 2022 5:52 PM +0800 baalchina baalchina@gmail.com wrote:
For example, when I searching by 'sn=*', or 'sn=Jim', which jim is the exact name of my user, I will got the correct result. But when I searching by 'inetUserStatus=Inactive' or 'inetUserStatus=Active', nothing happens. I also tried 'inetUserStatus=*', and got the whole ldap users. The same happens in the memberOf attribute, which 'memberOf=*' got the whole users, and 'memberOf=cn=ABC*' got nothing. (My ldap users all have a attribute of 'memberOf: cn=ABC,ou=Groups,dc=abc,dc=cn'.
The behavior of a filter is controlled by the matchin rules for the attribute. A substring query on a DN type attribute doesn't make much sense (i.e., the memberOf case). For example, the defintion used by the dynlist overlay sets only one matching rule that can be used by a filter: EQUALITY distinguishedNameMatch
i.e., an exact equality match. You'd have to look at your schema that is defining "inetUserStatus" to discover what matching rules are defined for it, and then add the relevant indices.
Regards, Quanah