[Date Prev][Date Next] [Chronological] [Thread] [Top]

JLDAP question

To: openldap-technical@openldap.org
Subject: JLDAP question
From: PhilNad214 PhilNad214 <philnad214@gmail.com>
Date: Thu, 10 Mar 2011 22:15:09 +1300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=Lc6aWFp1xLzA6oEAMKj42Pt2FrV9kK3mWpXpogn+sfA=; b=eyez0Uf/TJRrK7uwN1HwDkWh4bt1/hUDz99ySCMtPe+rWgjo32R9KZfQKcQr2dS0sI //f0/G/CNNUb2dLui/kTJpfvAgm1Bs3sR3t+cs/Sr6cqylWURJwtbT2TuD+TH9Ik28F3 8QJ2E7O60ONK1s6q5rR0Cnv3nEDUAJ6hS3CWg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=mEZIUY5UMkrpeiq9rvRpHnXW+rGb+nx2SdSae4PemFX8sABwPIQFlkYuNUgSvD6Mqc OC9gnxBXPntaQFV6X5DjJyWoSe7rD84VRjkNMcE+ZVVp7DxpYyUOsE9FIG1pycqGsge6 h/u+zgjmcqz05Fx/glcWih4/Deej1AHjspe/A=

Hi, we've had JLDAP enbedded in our project for 3-4 years and it's been easy to maintain (actually no maintenance required!).

I now need to extend it and need to find out a few things - I must confess to not knowing much about LDAP and what its query language is capable of, so if I ask the question here I'm sure if it cannot be answered easily then someone will recommend a good web resource :-)

Our first issue, currently we use LDAPConnection.search() to retrieve all the users that are members of a group in a particular OU. This has always been fine with small setups where admins have happily made (manually) the users part of the group. However in larger LDAP setups, where the users may already be in one of several groups, it 's a lot of extra work (potentially) to manage them (making them all members also of our group). What we'd ideally like is for the admins to be able to add those existing groups themselves to our group.
This is possible of course, but when we are iterating over the search results, we get all the existing individually added members, but when it comes to an added group, we get just the group entry (no real surprise).
So my question is, can the search be written in a way that if the search results was to include a group, all the members of that group are actually returned in the results? (Sort of like 'auto-expand' groups.) If that isn't possible then I assume we'll have to refactor our code to automatically do another search within the search if we encounter a group entry within the results?

BTW here is a trimmed-down version of the search code:

String aGroupname = "bob";
    int searchScope = LDAPConnection.SCOPE_SUB;
    String attrs[] = {
        "msDS-UserAccountDisabled", "ms-DS-UserAccountAutoLocked", "msDS-UserPasswordExpired",
        "isDeleted", "CN", "sAMAccountName", "distinguishedName", "givenName", "middleName", "sn",
        "memberOf", "mail", "name", "employeeID"};
    boolean attributeOnly = false;
    String searchDN = "OU=....";
    String searchFilterA = "(memberOf=CN="+aGroupname+","+searchDN + ")";
    String searchFilterB = "(memberOf=sAMAccountName="+aGroupname+","+searchDN + ")";
    String searchFilter = "(|" + searchFilterA + searchFilterB + ")";

    LDAPSearchConstraints cons = new LDAPSearchConstraints();
    cons.setTimeLimit(10000);
    LDAPSearchResults searchResults =
    _lc.search(searchDN,      // container to search
    searchScope,     // search scope
    searchFilter,    // search filter
    attrs,           // "1.1" returns entry name only
    attributeOnly,   // no attributes are returned
    cons);           // time out value

    while (searchResults.hasMore())
        .... etc ....

Cheers, Phil

Prev by Date: Null Search Base
Next by Date: Remove/Cleanup pwdHistory attribute.
Index(es):
- Chronological
- Thread