[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Search: If filter contains nonexistant attribute, entry will not be returned as a 'hit'

Pierangelo Masarati writes:
>>    (&(objectClass=person)(|(sn=*jere*)(cn=*jere*)(blahblah=*jere*))(mail=*))
>> My problem is that if a particular entry does not contain each
>> attribute (sn, cn, and blahblah) they will not get returned as a hit.
>> The attribute "blahblah" is obviously a nonexistent attribute, but
>> being inside an "OR" parenthesis group I would assume that wouldn't
>> matter.

So would I...

> Your assumption is in contrast with the specifications of an LDAP filter.
> If "blahblah" is unknown to the DSA (i.e. it does not have a schema
> specification), then the __entire__ OR filter evaluates to UNDEFINED,
> according to draft-ietf-ldapbis-protocol.

draft-ietf-ldapbis-protocol-31.txt, SearchRequest.filter says:

   A filter of the "or" choice is FALSE if all of
   the filters in the SET OF evaluate to FALSE, TRUE if at least one
   filter is TRUE, and Undefined otherwise.

Think of UNDEFINED as "the server can't tell" in this context.  If
anything else in the (|...) matches, then the server can tell that the
filter matches whether or not the undefined component would match.

For sale: Parachute. Never opened, used once, slightly stained.