[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP search filters

To: Anita Luca <anlu@netop.com>
Subject: Re: OpenLDAP search filters
From: Howard Chu <hyc@symas.com>
Date: Fri, 03 Jun 2011 13:01:44 -0700
Cc: Reinaldo de Carvalho <reinaldoc@gmail.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <32D578643AF3CB47876597A863E8E717163E74@dk-dwd-dan-dkex.danware.local>
References: <32D578643AF3CB47876597A863E8E717154166@dk-dwd-dan-dkex.danware.local> <BANLkTimW6LuAxfGpOHcknTp1Q1Df1QYuMw@mail.gmail.com> <32D578643AF3CB47876597A863E8E717163E74@dk-dwd-dan-dkex.danware.local>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110322 Firefox/4.0b13pre SeaMonkey/2.1b2pre

Anita Luca wrote:

Thanks for the answer Reinaldo,
Sorry, maybe I wasn't explicit enough..

I have, say, 3 user objects, with names User1, User2 and User3.
Under AD, a user browse filter for this would be:
(&(|(objectClass=user)(objectClass=organizationalUnit))(cn=*User**))
that would search for
(objectClass=user OR objectClass=organizationalUnit) AND (cn  contains "User")

But the AD object has the property objectClass and cn, and I know that values for objectClass can be "user" or "organizationalUnit" in my case.
I don't know the structure of an object in OpenLDAP, to know what property would replace e.g. objectClass and cn, and what values they might have.

objectClass is part of the core LDAP (and X.500) specification, everydirectory entry must contain it. cn is part of the core schema as well,although Microsoft has perverted its definition in their implementation.


Your example is strange since generally users are not organizationalUnits.

This might be a very simple thing, my problem is that I don't have access to an OpenLDAP environment, which makes it more difficult. With an LDAP browser I could just look at the objects, see the properties and values, and figure out what would work as filter. But without access to the environment, I don't even know how an object looks like, and what properties it has.
I was hoping maybe there was a list somewhere, similar to this one for Active Directory, where I could just see the properties that exist:
http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_User_Object_Properties.html

Read RFC4512 and RFC4519 to see the core LDAP schema definitions. You don'tneed a running OpenLDAP installation, you just need to read the LDAPspecifications.

Of course, it's not like there's anything preventing you from downloadingOpenLDAP and seeing what's in it for yourself.

Thanks,
Anita


-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Reinaldo de Carvalho
Sent: 20 May 2011 17:43
To: openldap-technical@openldap.org
Subject: Re: OpenLDAP search filters

On Thu, May 19, 2011 at 8:08 AM, Anita Luca<anlu@netop.com>  wrote:

Hello all,

I need to replace the standard AD filters with OpenLDAP filters.
Basically, I assume that what changes is the value of the property (e.g.
objectType=user might become objectType=person or any other value, not
sure what OpenLDAP works with).


How to create a "filter" if we don't know the "entries"?

--
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"While not fully understand a software, don't try to adapt this software to the way you work, but rather yourself to the way the software works" (myself)



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- RE: OpenLDAP search filters
  - From: Anita Luca <anlu@netop.com>

Prev by Date: Re: ldapsearch and sambaAcctFlags
Next by Date: Re: Authenticate with smartcard or other certificate
Index(es):
- Chronological
- Thread