Discussion:
ldapsearch: Search for Operational Attributes using wildcards
Uncle Hildegard
2012-04-25 16:53:43 UTC
Permalink
Hi there,

I don't understand what's happening here so hopefully someone can help me
with this.

I have a DIT that contains objects like this:

uid=test,ou=user,ou=sales,o=Testcompany

Now I want to find out all objects that have "sales" in their DN. Since DN
is not an attribute one can search for I used the the operational attribute
"entryDN":
ldapsearch -x "(entryDN=*sales*)" cn
That search didn't find anything.

After that I tried
ldapsearch -x "(entryDN=uid=test,ou=user,ou=sales,o=Testcompany)" cn
and got the expected result.

Now it seems that as soon as I use a wildcard in the filter argument the
search returns nothing.
Even
ldapsearch -x "(entryDN=uid=test,ou=user,ou=sales,o=Testcompan*)" cn
returns nothing.

I've also tried things like
ldapsearch -x "(entryDN:dnSubtreeMatch:=*sales*)" cn
which returned no result either.


Any ideas what I'm doing wrong? Any help would be greatly appreciated!

Cheers -- Markus
Philip Guenther
2012-04-25 17:25:46 UTC
Permalink
Post by Uncle Hildegard
uid=test,ou=user,ou=sales,o=Testcompany
Now I want to find out all objects that have "sales" in their DN. Since DN
is not an attribute one can search for <...>
Yes you can:
(ou:dn:=sales)


Philip
Michael Ströder
2012-04-25 17:27:54 UTC
Permalink
Post by Uncle Hildegard
uid=test,ou=user,ou=sales,o=Testcompany
Now I want to find out all objects that have "sales" in their DN.
Try out the filter (ou:dn:=sales)
Post by Uncle Hildegard
ldapsearch -x "(entryDN=*sales*)" cn
That search didn't find anything.
After that I tried
ldapsearch -x "(entryDN=uid=test,ou=user,ou=sales,o=Testcompany)" cn
and got the expected result.
Now it seems that as soon as I use a wildcard in the filter argument the
search returns nothing.
Even
ldapsearch -x "(entryDN=uid=test,ou=user,ou=sales,o=Testcompan*)" cn
returns nothing.
entryDN is of LDAP syntax Distinguished Name (1.3.6.1.4.1.1466.115.121.1.12)
for which substring matching does not work just like for Directory String.
Look into the server's subschema subentry to find the applicable matching rules.

On my OpenLDAP server these are:
distinguishedNameMatch, dnOneLevelMatch, dnSubordinateMatch, dnSubtreeMatch,
dnSuperiorMatch
Post by Uncle Hildegard
I've also tried things like
ldapsearch -x "(entryDN:dnSubtreeMatch:=*sales*)" cn
which returned no result either.
This should be

(entryDN:dnSubtreeMatch:=ou=user,ou=sales,o=Testcompany)

Ciao, Michael.
Uncle Hildegard
2012-04-26 13:54:14 UTC
Permalink
Hi Philip + Michael,
Post by Michael Ströder
Try out the filter (ou:dn:=sales)
ok, that works, many thanks for your advice.
Post by Michael Ströder
entryDN is of LDAP syntax Distinguished Name
(1.3.6.1.4.1.1466.115.121.1.12) for which substring matching does
not work just like for Directory String. Look into the server's
subschema subentry to find the applicable matching rules.
Ok, in "newbie-speak" ;-) that means that there are certain objects in
the DIT that don't accept wildcards in filters, right?
I must admit that I haven't understood (yet) why that is and how I can
tell if an object supports it or not. Can you point me to some kind of
documentation where this is explained?


Thanks alot for your help!

Cheers -- Markus
Michael Ströder
2012-04-26 17:33:43 UTC
Permalink
Post by Uncle Hildegard
Post by Michael Ströder
entryDN is of LDAP syntax Distinguished Name
(1.3.6.1.4.1.1466.115.121.1.12) for which substring matching does
not work just like for Directory String. Look into the server's
subschema subentry to find the applicable matching rules.
Ok, in "newbie-speak" ;-) that means that there are certain objects in
the DIT that don't accept wildcards in filters, right?
Yes. There are attribute types for which no SUBSTR matching rule is defined or
implemented. You have to look at the subschema to find out for a particular
attribute type. Use a decent schema browser for that.

web2ldap has a built-in schema browser which displays all this including
inheritance. But being the author I'm biased of course.

https://demo.web2ldap.de:1760/web2ldap/oid?ldap://ldap.uninett.no/dc=uninett,dc=no
Post by Uncle Hildegard
I must admit that I haven't understood (yet) why that is and how I can tell if
an object supports it or not. Can you point me to some kind of documentation
where this is explained?
RFC 4512 describes this in detail.

Ciao, Michael.

Loading...