Re: Resolving groups (neophyte question)

[Jeff Clowser <jclowser@aerotek.com>]

I coulda sworn I did this before a long time ago, and it worked (maybe Netscape DS 3.x),
but it's a really ugly way to do it, and given that the dn is kinda "special", I completely
agree that it's at least bad form.

Definately the best way to go is to use the known dn as the base dn, scope of base,  and
a filter of objectclass=*.  Actually, does anyone know if it would be more or less efficient
to use objectclass=* vs. objectclass=inetorgperson or whatever objectclass would
further restrict it? - I usually just use objectclass=*, but I wonder if objectclass=inetorgperson
is more efficient, or if it makes it do further comparisions that would slow things down.

-Jeff

Julio Sánchez Fernández wrote:

> Jeff Clowser wrote:
> >
> > Try this:
> > ldapsearch -v -L -s sub  -b 'o=mirapoint.com' -h ugh 'dn=uid=bryan,ou=People, o=mirapoint.com'
> >
> > (Note the dn=uid=...)
>
> If that works, then it is another unintended side-effect of the way OpenLDAP
> deals with the DN (treats it as an attribute).  I don't think this is
> required behaviour.  And as a matter of fact, future changes to OpenLDAP are
> likely to break this.  I have my eyes put on some changes that could make
> the DN disappear as an attribute of the entry.  So if anyone can provide
> any proof that this is required behaviour, please speak up before I make a
> fool of myself by breaking it.
>
> > Probably a more efficient way would be to make the scope
> > same (-s same?)
>
> -s base
>
> Julio

--
 Jeff Clowser
 mailto:jclowser@aerotek.com       Hanover MD  21076 USA
 Phone: (410)-579-4328             7312 Parkway Drive