Hi,
I'm having problems finding documentation for range filters. Can someone explain to me how to use a range filter on shadowExpire?
From nis.schema: attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) so it's an integer value.
from my slapd.conf (openldap 2.3.38): index shadowExpire pres,eq
I'd like to find entries where either shadowExpire is not present, or shadowExpire is present and greater than or equal to X.
# ldapsearch -x '(&(objectclass=shadowaccount)(shadowexpire=*))' dn returns 978 entries.
# ldapsearch -x '(&(objectclass=shadowaccount)(!(shadowexpire=*)))' dn returns 311 entries.
But: # ldapsearch -x '(&(objectclass=shadowaccount)(shadowexpire>1000))' dn gives me ldap_search_ext: Bad search filter (-7) and # ldapsearch -x '(&(objectclass=shadowaccount)(shadowexpire>=1000))' dn returns no results.
At least one entry has shadowExpire > 1000: # ldapsearch -x -LLL uid=toni objectclass shadowexpire dn: cn=Batovanja Antonio,ou=People,ou=EDV Zentrale,dc=humanomed,dc=at objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: hmUserExtention objectClass: organizationalPerson shadowExpire: 20000
My final filter should be (|(shadowExpire=0)(shadowExpire>=14910)(!(shadowExpire=*))) but that's not working
What am I doing wrong?
Cheers, Toni
I'm trying to implement some aliases for several groups in my directory to provide a bit of aesthetics for a few applications that leverage the OpenLDAP users and groups. However, I seem to be running in to a little trouble, perhaps because I'm expecting alias dereferencing to do something it wasn't really designed to do. For reference, this is 2.4.21, but I was able to test on a 2.4.23 database with the same results. I'm using the autogroup module as well for some pseudo-static dynamic groups. Consider the following basic DIT and abbreviated set of entries (abbreviated entries denoted by '...'):
dn: dc=example,dc=com
dn: ou=Users,dc=example,dc=com
dn: ou=Groups,dc=example,dc=com
dn: uid=john,ou=Users,dc=example,dc=com objectClass: examplecomEmployee departmentName: sysadmins ...
dn: uid=jane,ou=Users,dc=example,dc=com objectClass: examplecomEmployee departmentName: sysadmins ...
dn: uid=joe,ou=Users,dc=example,dc=com objectClass: examplecomEmployee departmentName: sysadmins ...
dn: cn=sysadmins,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs objectClass: posixGroup memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomEmployee)(departmentName=sysadmins)) member: uid=john,ou=Users,dc=example,dc=com member: uid=jane,ou=Users,dc=example,dc=com member: uid=joe,ou=Users,dc=example,dc=com ...
dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com ou: Groups cn: Systems Admins objectClass: alias objectClass: extensibleObject aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com
When I initiate an ldapsearch and choose not to dereference, I see what I expect:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a never -b dc=example,dc=com cn=Systems\ Administrators dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com ou: Groups objectClass: alias objectClass: extensibleObject aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com cn: Systems Administrators
However, when I do choose to dereference, nothing is returned:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a find -b dc=example,dc=com cn=Systems\ Administrators joe@ldap1:~#
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b dc=example,dc=com cn=Systems\ Administrators joe@ldap1:~#
I can only obtain the expected results if I set the search base to the *specific* entry I'm looking to dereference:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b cn=Systems\ Administrators,ou=Groups,dc=example,dc=com dn: cn=sysadmins,ou=Groups,dc=example,dc=com ou: Groups gidNumber: 4001 cn: sysadmins objectClass: groupOfURLs objectClass: top objectClass: posixGroup description: The sysadmin team members memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomE mployee)(departmentName=sysadmins)) member: uid=john,ou=Users,dc=example,dc=com member: uid=jane,ou=Users,dc=example,dc=com member: uid=joe,ou=Users,dc=example,dc=com
I find it hard to believe that setting the search base to the alias entry is the only way which one may reference the alias entry - I can't see many cases in which it would be useful to set the search base to something other than the highest part of the tree under which all the other entries you'd like to view are accessible. Essentially, I just want to be able to search for the more aesthetically named entry (cn=Systems Administrators) without having to explicitly set it as the search base, and have it return the entry specified by its aliasedObjectName. Is this possible, and if so, how? If not, what is the recommended approach to achieving this goal, other than perhaps setting an attribute from an AUXILIARY objectClass or similar? I don't really consider creating the entries with the more aesthetic names from the get-go as an option, because dealing with POSIX groups that have spaces in them is a pain, and not everything plays nice with such naming schemes. Thanks for any/all advice.
Ryan Steele wrote:
I'm trying to implement some aliases for several groups in my directory to provide a bit of aesthetics for a few applications that leverage the OpenLDAP users and groups. However, I seem to be running in to a little trouble, perhaps because I'm expecting alias dereferencing to do something it wasn't really designed to do. For reference, this is 2.4.21, but I was able to test on a 2.4.23 database with the same results. I'm using the autogroup module as well for some pseudo-static dynamic groups. Consider the following basic DIT and abbreviated set of entries (abbreviated entries denoted by '...'):
Your problem has nothing to do with alias dereferencing.
dn: cn=sysadmins,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs objectClass: posixGroup memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomEmployee)(departmentName=sysadmins)) member: uid=john,ou=Users,dc=example,dc=com member: uid=jane,ou=Users,dc=example,dc=com member: uid=joe,ou=Users,dc=example,dc=com ...
dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com ou: Groups cn: Systems Admins objectClass: alias objectClass: extensibleObject aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com
When I initiate an ldapsearch and choose not to dereference, I see what I expect:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a never -b dc=example,dc=com cn=Systems\ Administrators dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com ou: Groups objectClass: alias objectClass: extensibleObject aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com cn: Systems Administrators
However, when I do choose to dereference, nothing is returned:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a find -b dc=example,dc=com cn=Systems\ Administrators joe@ldap1:~#
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b dc=example,dc=com cn=Systems\ Administrators joe@ldap1:~#
Clearly the result you got is correct.
I can only obtain the expected results if I set the search base to the *specific* entry I'm looking to dereference:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b cn=Systems\ Administrators,ou=Groups,dc=example,dc=com dn: cn=sysadmins,ou=Groups,dc=example,dc=com ou: Groups gidNumber: 4001 cn: sysadmins objectClass: groupOfURLs objectClass: top objectClass: posixGroup description: The sysadmin team members memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomE mployee)(departmentName=sysadmins)) member: uid=john,ou=Users,dc=example,dc=com member: uid=jane,ou=Users,dc=example,dc=com member: uid=joe,ou=Users,dc=example,dc=com
I find it hard to believe that setting the search base to the alias entry is the only way which one may reference the alias entry
And that is clearly not the case, in fact.
Your last search is not equivalent to your previous searches, because the last time you omitted the **SEARCH FILTER**.
Think about it.
Thanks for responding, Howard. Responses below.
Howard Chu wrote:
Your problem has nothing to do with alias dereferencing.
Yes, I have to agree now that I (think I) know more about how aliases work in OpenLDAP.
I can only obtain the expected results if I set the search base to the *specific* entry I'm looking to dereference:
And that is clearly not the case, in fact.
Your last search is not equivalent to your previous searches, because the last time you omitted the **SEARCH FILTER**.
Think about it.
I actually believe it is the case, but only because the behavior I'm expecting is not orthogonal to how aliases appear to work. Using FAQ-O-Matic entry #1111 as an example, searching without a filter just returns the aliased entry without any reference at all to the DN of the alias itself, which precludes me from being able to use the root of my DIT as the search base, search for the alias's DN, and having the attributes from the object to which it points returned. I suppose I will just have to look for another solution to satisfy this particular need, perhaps an auxiliary objectclass that will let me use a separate attribute for aesthetic display names. I'm certainly open to other suggestions if there is a more appropriate or fitting answer to this problem. For reference, what I'm after is something similar to the following behavior:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always '(cn=Aliased Group Name)' member dn: cn=realgroupname,ou=Groups,dc=example,dc=com member: uid=john,ou=Users,dc=example,dc=com member: uid=jane,ou=Users,dc=example,dc=com member: uid=joe,ou=Users,dc=example,dc=com
Thanks for the advice/suggestions/cluebats!
openldap-technical@openldap.org
-
Antonio Batovanja -
Howard Chu -
Ryan Steele