I have the following structure in my OpenLDAP:
ou = groups |_cn = system1 | | _cn = Group1 | | _cn = Group2 |_cn = system2 | _cn = Group1 | _cn = Group2
I need to perform a search and return only users who are registered on system1, regardless of the registered group. When I use the search with the filter: memberOf=cn=*,cn=system1,ou=groups nothing is returned. How do I perform this search in OpenLDAP? In search Oracle SJDS works!
On 01/28/15 18:19 +0000, Alessandro Lasmar Mourao wrote:
I have the following structure in my OpenLDAP:
ou = groups |_cn = system1 | | _cn = Group1 | | _cn = Group2 |_cn = system2 | _cn = Group1 | _cn = Group2
I need to perform a search and return only users who are registered on system1, regardless of the registered group. When I use the search with the filter: memberOf=cn=*,cn=system1,ou=groups nothing is returned. How do I perform this search in OpenLDAP? In search Oracle SJDS works!
Please provide a more concrete example of your DIT layout.
Alessandro Lasmar Mourao wrote:
I have the following structure in my OpenLDAP:
ou = groups |_cn = system1 | | _cn = Group1 | | _cn = Group2 |_cn = system2 | _cn = Group1 | _cn = Group2
I need to perform a search and return only users who are registered on system1, regardless of the registered group. When I use the search with the filter: memberOf=cn=*,cn=system1,ou=groups nothing is returned. How do I perform this search in OpenLDAP?
Attribute 'memberOf' is of LDAP syntax DistinguishedName. Therefore the SUBSTR matching rule for DirectoryString syntax does not apply.
You could use this filter:
(memberOf:dnSubordinateMatch:=cn=system1,ou=groups)
Not exactly the same since it does not assert the group entry RDN being 'cn' but it matches your textual description.
In search Oracle SJDS works!
Is Oracle SJDS yet another LDAP server product name for the former Sun product or Oracle's OID?
If the search with memberOf=cn=*,cn=system1,ou=groups works there they do not implement proper DN syntax checking and matching rules and simply apply e.g. the DirectoryString SUBSTR matching rule or whatever. That's convenient for lazy programmers but is not compliant to RFC 4517. A typical behaviour of Sun's DSSE up to 6.x.
Ciao, Michael.
Michael,
Thank's for help!! When I used the filter memberOf:dn:dnSubordinateMatch:=cn=system1,ou=groups works!!!
Thanks a lot,
Alessandro Lasmar Mourão
-----Mensagem original----- De: Michael Ströder [mailto:michael@stroeder.com] Enviada em: quarta-feira, 28 de janeiro de 2015 18:13 Para: Alessandro Lasmar Mourao; openldap-technical@openldap.org Assunto: Re: Search with wildcard
Alessandro Lasmar Mourao wrote:
I have the following structure in my OpenLDAP:
ou = groups |_cn = system1 | | _cn = Group1 | | _cn = Group2 |_cn = system2 | _cn = Group1 | _cn = Group2
I need to perform a search and return only users who are registered on system1, regardless of the registered group. When I use the search with the filter: memberOf=cn=*,cn=system1,ou=groups nothing is returned. How do I perform this search in OpenLDAP?
Attribute 'memberOf' is of LDAP syntax DistinguishedName. Therefore the SUBSTR matching rule for DirectoryString syntax does not apply.
You could use this filter:
(memberOf:dnSubordinateMatch:=cn=system1,ou=groups)
Not exactly the same since it does not assert the group entry RDN being 'cn' but it matches your textual description.
In search Oracle SJDS works!
Is Oracle SJDS yet another LDAP server product name for the former Sun product or Oracle's OID?
If the search with memberOf=cn=*,cn=system1,ou=groups works there they do not implement proper DN syntax checking and matching rules and simply apply e.g. the DirectoryString SUBSTR matching rule or whatever. That's convenient for lazy programmers but is not compliant to RFC 4517. A typical behaviour of Sun's DSSE up to 6.x.
Ciao, Michael.
openldap-technical@openldap.org