Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
But you are basically changing the semantics of attribute authorizedService: Before "*" was literal, after it is magic (substring match).
The discussion on which variant is more useful is a different issue ;-)
for *my* flow, the variant of original schema is unusable since I have pleny of values and to hardcode all of them for all available searches is not good idea, to my mind ...
if to return to the starting question:
is there other way to get originally SUBSTR-less attributes to be matchable by substring, except hacking the scheme?
On Thu, Oct 19, 2017 at 02:02:55PM +0300, Zeus Panchenko wrote:
is there other way to get originally SUBSTR-less attributes to be matchable by substring, except hacking the scheme?
You could try using the extended search filter syntax:
(dhcpOption:caseIgnoreSubstringsMatch:=boot*)
See RFC4515 for more details. In practice you will probably want to create a suitable index on the attribute unless the search will also include another attribute that is already indexed and which will cut down the number of results sufficiently. e.g.
(&(hostCategory=finance)(dhcpOption:caseIgnoreSubstringsMatch:=boot*))
Andrew
Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
You could try using the extended search filter syntax:
(dhcpOption:caseIgnoreSubstringsMatch:=boot*)
See RFC4515 for more details. In practice you will probably want to create a
I tried and failed ... where did I mistake? :(
for original ldapns.schema
1. search works with filter: (authorizedService=mail@hh001.umidb) (and without index it returns empty result)
# base <ou=People,dc=umidb> with scope subtree # filter: (authorizedService=mail@hh001.umidb) # requesting: authorizedService uid #
# mail@hh001.umidb, tafij.tafus, People, umidb dn: authorizedService=mail@hh001.umidb,uid=tafij.tafus,ou=People,dc=umidb uid: tafij.tafus@mail authorizedService: mail@hh001.umidb
# tafij.tafus@hh001.umidb, mail@hh001.umidb, tafij.tafus, People, umidb dn: uid=tafij.tafus@hh001.umidb,authorizedService=mail@hh001.umidb,uid=tafij.t afus,ou=People,dc=umidb authorizedService: mail@hh001.umidb uid: tafij.tafus@hh001.umidb
# search result search: 2 result: 0 Success
2. search, though empty, but works with filter: (authorizedService=mail@hh001.um*)
# base <ou=People,dc=umidb> with scope subtree # filter: (authorizedService=mail@hh001.um*) # requesting: authorizedService uid #
# search result search: 2 result: 0 Success
3. search (expectedly) works with filter: (authorizedService:caseIgnoreMatch:=mail@hh001.umidb)
# base <ou=People,dc=umidb> with scope subtree # filter: (authorizedService:caseIgnoreMatch:=mail@hh001.umidb) # requesting: authorizedService uid #
# mail@hh001.umidb, tafij.tafus, People, umidb dn: authorizedService=mail@hh001.umidb,uid=tafij.tafus,ou=People,dc=umidb uid: tafij.tafus@mail authorizedService: mail@hh001.umidb
# tafij.tafus@hh001.umidb, mail@hh001.umidb, tafij.tafus, People, umidb dn: uid=tafij.tafus@hh001.umidb,authorizedService=mail@hh001.umidb,uid=tafij.t afus,ou=People,dc=umidb authorizedService: mail@hh001.umidb uid: tafij.tafus@hh001.umidb
# search result search: 2 result: 0 Success
4. search (unexpectedly) does not work at all with filter: (authorizedService:caseIgnoreSubstringsMatch:=mail@hh001.umi*)
# base <ou=People,dc=umidb> with scope subtree # filter: (authorizedService:caseIgnoreSubstringsMatch:=mail@hh001.umi*) # requesting: authorizedService uid #
ldap_search_ext: Bad search filter (-7)
so ... I'm again where I was ... schema patch is the kludge but still no other way to get that search :(
On Fri, Oct 20, 2017 at 01:08:01PM +0300, Zeus Panchenko wrote:
- search works with filter: (authorizedService=mail@hh001.umidb) (and without index it returns empty result)
That is odd. Th eindex should only be a performance thing - it should not change the results at all. You need to be very careful about using slapindex whenever you change the list of indexes.
search (unexpectedly) does not work at all with filter: (authorizedService:caseIgnoreSubstringsMatch:=mail@hh001.umi*)
# base <ou=People,dc=umidb> with scope subtree # filter: (authorizedService:caseIgnoreSubstringsMatch:=mail@hh001.umi*) # requesting: authorizedService uid #
ldap_search_ext: Bad search filter (-7)
That surprised me, so I asked around at LDAPCon today. Howard points out that '*' is not encoded on the wire: it just triggers a specific search form - in this case sub-initial. It may be that you cannot request sub-initial or sub-final with this syntax :-(
Try this:
(authorizedService:caseIgnoreSubstringsMatch:=mail@hh001.umi)
The idea is that it should trigger an 'any substring' (i.e. 'contains') search.
Andrew
Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
Try this: (authorizedService:caseIgnoreSubstringsMatch:=mail@hh001.umi)
now there is no error message, though the result is still empty
alas ...
# base <ou=People,dc=umidb> with scope subtree # filter: (authorizedService:caseIgnoreSubstringsMatch:=mail@hh001.umi) # requesting: authorizedService uid #
# search result search: 2 result: 0 Success
openldap-technical@openldap.org
-
Andrew Findlay -
Zeus Panchenko