Hello all,
I need to replace the standard AD filters with OpenLDAP filters. Basically, I assume that what changes is the value of the property (e.g. objectType=user might become objectType=person or any other value, not sure what OpenLDAP works with).
Below the queries on AD:
User search filter: (objectClass=user) User attribute: sAMAccountName User browse filter: (|(objectClass=user)(objectClass=organizationalUnit)) Group search filter: (objectClass=group) Group attribute: member Group browse filter: (|(objectClass=group)(objectClass=organizationalUnit)) User member of attribute: memberOf OU search filter: (objectClass=organizationalUnit)
Hope you can help with a suggestion, or at least a list of properties and values for objects, where I could search. Thanks,
Anita Luca
On Thu, May 19, 2011 at 8:08 AM, Anita Luca anlu@netop.com wrote:
Hello all,
I need to replace the standard AD filters with OpenLDAP filters. Basically, I assume that what changes is the value of the property (e.g. objectType=user might become objectType=person or any other value, not sure what OpenLDAP works with).
How to create a "filter" if we don't know the "entries"?
Thanks for the answer Reinaldo, Sorry, maybe I wasn't explicit enough..
I have, say, 3 user objects, with names User1, User2 and User3. Under AD, a user browse filter for this would be: (&(|(objectClass=user)(objectClass=organizationalUnit))(cn=*User**)) that would search for (objectClass=user OR objectClass=organizationalUnit) AND (cn contains "User")
But the AD object has the property objectClass and cn, and I know that values for objectClass can be "user" or "organizationalUnit" in my case. I don't know the structure of an object in OpenLDAP, to know what property would replace e.g. objectClass and cn, and what values they might have.
This might be a very simple thing, my problem is that I don't have access to an OpenLDAP environment, which makes it more difficult. With an LDAP browser I could just look at the objects, see the properties and values, and figure out what would work as filter. But without access to the environment, I don't even know how an object looks like, and what properties it has. I was hoping maybe there was a list somewhere, similar to this one for Active Directory, where I could just see the properties that exist: http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_Use...
Thanks, Anita
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Reinaldo de Carvalho Sent: 20 May 2011 17:43 To: openldap-technical@openldap.org Subject: Re: OpenLDAP search filters
On Thu, May 19, 2011 at 8:08 AM, Anita Luca anlu@netop.com wrote:
Hello all,
I need to replace the standard AD filters with OpenLDAP filters. Basically, I assume that what changes is the value of the property (e.g. objectType=user might become objectType=person or any other value, not sure what OpenLDAP works with).
How to create a "filter" if we don't know the "entries"?
-- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net
"While not fully understand a software, don't try to adapt this software to the way you work, but rather yourself to the way the software works" (myself)
Anita Luca wrote:
Thanks for the answer Reinaldo, Sorry, maybe I wasn't explicit enough..
I have, say, 3 user objects, with names User1, User2 and User3. Under AD, a user browse filter for this would be: (&(|(objectClass=user)(objectClass=organizationalUnit))(cn=*User**)) that would search for (objectClass=user OR objectClass=organizationalUnit) AND (cn contains "User")
But the AD object has the property objectClass and cn, and I know that values for objectClass can be "user" or "organizationalUnit" in my case. I don't know the structure of an object in OpenLDAP, to know what property would replace e.g. objectClass and cn, and what values they might have.
objectClass is part of the core LDAP (and X.500) specification, every directory entry must contain it. cn is part of the core schema as well, although Microsoft has perverted its definition in their implementation.
Your example is strange since generally users are not organizationalUnits.
This might be a very simple thing, my problem is that I don't have access to an OpenLDAP environment, which makes it more difficult. With an LDAP browser I could just look at the objects, see the properties and values, and figure out what would work as filter. But without access to the environment, I don't even know how an object looks like, and what properties it has. I was hoping maybe there was a list somewhere, similar to this one for Active Directory, where I could just see the properties that exist: http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_Use...
Read RFC4512 and RFC4519 to see the core LDAP schema definitions. You don't need a running OpenLDAP installation, you just need to read the LDAP specifications.
Of course, it's not like there's anything preventing you from downloading OpenLDAP and seeing what's in it for yourself.
Thanks, Anita
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Reinaldo de Carvalho Sent: 20 May 2011 17:43 To: openldap-technical@openldap.org Subject: Re: OpenLDAP search filters
On Thu, May 19, 2011 at 8:08 AM, Anita Lucaanlu@netop.com wrote:
Hello all,
I need to replace the standard AD filters with OpenLDAP filters. Basically, I assume that what changes is the value of the property (e.g. objectType=user might become objectType=person or any other value, not sure what OpenLDAP works with).
How to create a "filter" if we don't know the "entries"?
-- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net
"While not fully understand a software, don't try to adapt this software to the way you work, but rather yourself to the way the software works" (myself)
openldap-technical@openldap.org
-
Anita Luca -
Howard Chu -
Reinaldo de Carvalho