3:10 a.m.
Hello,
I’m trying to understand if it is possible or not to do a substring search on an attribute
which does not specify a substring matching rule.
I was expecting to be able to use an extensible filter and specify the sub matching rule
to use, but it does not seem to work ldapsearch says "ldap_search_ext: Bad search
filter (-7)" as soon as the filter contains an asterisk.
And indeed reading https://tools.ietf.org/html/rfc4515 it does look like extensible filter
does not allow asterisk, but it is surprising to me.
Is there really no way to do an extensible search on a substring?
I found some examples on the web of such filters, like here:
http://www.zytrax.com/books/ldap/apa/search.html
They give these examples:
# override SUBSTR match with case sensitive match
sn:caseExactSubstringMatch:=*S* # only finds Smith
# functionally same as above using OID
sn:2.5.13.7:=*S*
But these do not work if I try them in ldapsearch I get bad search filter.
Côme
5:07 a.m.
Le lundi 27 mai 2019, 12:43:51 CEST Michael Ströder a écrit :
On 5/27/19 12:10 PM, Côme Chilliet wrote:
> I’m trying to understand if it is possible or not to do a substring
> search on an attribute which does not specify a substring matching
> rule.
Which LDAP syntax is used in the attribute type description?
Well I’m interested in knowing if it’s possible with any kind of attribute, but the
usecase I came across was with ipHostNumber:
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
DESC 'IP address'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
Côme
7:45 a.m.
--On Monday, May 27, 2019 3:07 PM +0200 Côme Chilliet <come(a)opensides.be>
wrote:
Le lundi 27 mai 2019, 12:43:51 CEST Michael Ströder a écrit :
> On 5/27/19 12:10 PM, Côme Chilliet wrote:
> > I'm trying to understand if it is possible or not to do a substring
> > search on an attribute which does not specify a substring matching
> > rule.
> Which LDAP syntax is used in the attribute type description?
Well I'm interested in knowing if it's possible with any kind of
attribute, but the usecase I came across was with ipHostNumber:
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
DESC 'IP address'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
That's an IA5 string, so use either:
caseExactIA5SubstringsMatch
or
caseIgnoreIA5SubstringsMatch
I.e., the matching rules should match the syntax.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
7:52 a.m.
--On Monday, May 27, 2019 8:45 AM -0700 Quanah Gibson-Mount
<quanah(a)symas.com> wrote:
> attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
> DESC 'IP address'
> EQUALITY caseIgnoreIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
That's an IA5 string, so use either:
caseExactIA5SubstringsMatch
or
caseIgnoreIA5SubstringsMatch
I.e., the matching rules should match the syntax.
Although I see what you mean, it doesn't like an * anywhere in the filter.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
2:20 a.m.
New subject: Extensible filters and ordering searches: filtering shadowExpire by range?
Hello,
It seems there is the same limitation for ordering, it is not possible to use extensible
filters for this.
So, there is no way to filter on shadowExpire values which are less than today’s
timestamp?
It sounds crazy that such basic needs are not covered by LDAP protocol, have I missed
something?
Côme
12:36 p.m.
New subject: Extensible filters and ordering searches: filtering shadowExpire by range?
--On Tuesday, June 18, 2019 12:20 PM +0200 Côme Chilliet
<come(a)opensides.be> wrote:
So, there is no way to filter on shadowExpire values which are less
than
today's timestamp?
shadowExpire is defined as an integer type, not as a timestamp, so no.
It sounds crazy that such basic needs are not covered by LDAP
protocol,
have I missed something?
It's not clear to me what this has to do with the LDAP protocol. The
definition of the "expire" field from /etc/shadow is:
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute
date specifying when the login may no longer be used.
So it's an integer (just as the RFC defines it). I would imagine you could
write something that converts a current timestamp into the number of days,
etc, and then perform a search.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1:56 p.m.
New subject: Extensible filters and ordering searches: filtering shadowExpire by range?
On 6/18/19 9:36 PM, Quanah Gibson-Mount wrote:
--On Tuesday, June 18, 2019 12:20 PM +0200 Côme Chilliet
<come(a)opensides.be> wrote:
> So, there is no way to filter on shadowExpire values which are less than
> today's timestamp?
shadowExpire is defined as an integer type, not as a timestamp, so no.
Besides that one should not use shadowAccount->shadowExpire for password
expiry anymore.
Ciao, Michael.
1379
days inactive
1401
days old
openldap-technical@openldap.org
7 comments
3 participants
participants (3)
-
Côme Chilliet -
Michael Ströder -
Quanah Gibson-Mount