Re: search with negation of undefined objectClass returns nothing

[Pierangelo Masarati <ando@sys-net.it>]

Charlie H wrote:

> Hello,
>
> I’ve been working on a conversion of a directory to OpenLDAP. I 
> stumbled upon some search results that I could not explain.
>
> One of our programs searches for LDAP entries with a negation of 
> certain object classes, so that extraneous entries are ignored. In 
> OpenLDAP, if the passed objectClass is not defined (as a valid 
> objectClass in the schema), it returns back nothing every time.
>
> For example, as expected, this returns back entries without the 
> surname xx:
>
> $ ldapsearch -xb "o=OrgName,c=US" '(!(sn=xx))'
>
> And this will return back entries that do not have the groupOfNames 
> objectClass:
>
> $ ldapsearch -xb "o=OrgName,c=US" '(!(objectClass=groupOfNames))'
>
> But the negation of an undefined objectClass returns nothing (without 
> any error):
>
> $ ldapsearch -xb "o=OrgName,c=US" '(!(objectClass=xx))'
>
> On another LDAP system (iPlanet), the last query above returns back 
> all entries. Does OpenLDAP by design throw out the search for an 
> objectClass value that is not defined? Could this be a configuration 
> issue?


an undefined objectClass is treated as "undefined"; the subsequent 
negation of n undefined filter is still treated as "undefined". I don't 
see any flaw in this logic. In any case, I don't see the fact that other 
implementations behave differently as a valid argument. It sounds 
definitely like a poorly designed operation or client configuration. A 
quick workaround is to define that objectClass in the schema.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497