Hello,
I’m trying to understand if it is possible or not to do a substring search on an attribute which does not specify a substring matching rule. I was expecting to be able to use an extensible filter and specify the sub matching rule to use, but it does not seem to work ldapsearch says "ldap_search_ext: Bad search filter (-7)" as soon as the filter contains an asterisk.
And indeed reading https://tools.ietf.org/html/rfc4515 it does look like extensible filter does not allow asterisk, but it is surprising to me. Is there really no way to do an extensible search on a substring?
I found some examples on the web of such filters, like here: http://www.zytrax.com/books/ldap/apa/search.html They give these examples:
# override SUBSTR match with case sensitive match sn:caseExactSubstringMatch:=*S* # only finds Smith # functionally same as above using OID sn:2.5.13.7:=*S*
But these do not work if I try them in ldapsearch I get bad search filter.
Côme
Le lundi 27 mai 2019, 12:43:51 CEST Michael Ströder a écrit :
On 5/27/19 12:10 PM, Côme Chilliet wrote:
I’m trying to understand if it is possible or not to do a substring search on an attribute which does not specify a substring matching rule.
Which LDAP syntax is used in the attribute type description?
Well I’m interested in knowing if it’s possible with any kind of attribute, but the usecase I came across was with ipHostNumber:
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IP address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
Côme
--On Monday, May 27, 2019 3:07 PM +0200 Côme Chilliet come@opensides.be wrote:
Le lundi 27 mai 2019, 12:43:51 CEST Michael Ströder a écrit :
On 5/27/19 12:10 PM, Côme Chilliet wrote:
I'm trying to understand if it is possible or not to do a substring search on an attribute which does not specify a substring matching rule.
Which LDAP syntax is used in the attribute type description?
Well I'm interested in knowing if it's possible with any kind of attribute, but the usecase I came across was with ipHostNumber:
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IP address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
That's an IA5 string, so use either:
caseExactIA5SubstringsMatch or caseIgnoreIA5SubstringsMatch
I.e., the matching rules should match the syntax.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, May 27, 2019 8:45 AM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IP address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
That's an IA5 string, so use either:
caseExactIA5SubstringsMatch or caseIgnoreIA5SubstringsMatch
I.e., the matching rules should match the syntax.
Although I see what you mean, it doesn't like an * anywhere in the filter.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hello,
It seems there is the same limitation for ordering, it is not possible to use extensible filters for this.
So, there is no way to filter on shadowExpire values which are less than today’s timestamp?
It sounds crazy that such basic needs are not covered by LDAP protocol, have I missed something?
Côme
--On Tuesday, June 18, 2019 12:20 PM +0200 Côme Chilliet come@opensides.be wrote:
So, there is no way to filter on shadowExpire values which are less than today's timestamp?
shadowExpire is defined as an integer type, not as a timestamp, so no.
It sounds crazy that such basic needs are not covered by LDAP protocol, have I missed something?
It's not clear to me what this has to do with the LDAP protocol. The definition of the "expire" field from /etc/shadow is:
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
So it's an integer (just as the RFC defines it). I would imagine you could write something that converts a current timestamp into the number of days, etc, and then perform a search.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 6/18/19 9:36 PM, Quanah Gibson-Mount wrote:
--On Tuesday, June 18, 2019 12:20 PM +0200 Côme Chilliet come@opensides.be wrote:
So, there is no way to filter on shadowExpire values which are less than today's timestamp?
shadowExpire is defined as an integer type, not as a timestamp, so no.
Besides that one should not use shadowAccount->shadowExpire for password expiry anymore.
Ciao, Michael.
openldap-technical@openldap.org
-
Côme Chilliet -
Michael Ströder -
Quanah Gibson-Mount