[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Search: If filter contains nonexistant attribute, entry will not be returned as a 'hit'

To: "Hallvard B Furuseth" <h.b.furuseth@usit.uio.no>
Subject: Re: LDAP Search: If filter contains nonexistant attribute, entry will not be returned as a 'hit'
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 27 Jul 2005 12:43:28 +0200 (CEST)
Cc: "Jeremiah Martell" <inlovewithgod@gmail.com>, openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <hbf.20050727aqjt@bombur.uio.no>
References: <233eb3005072606304e634633@mail.gmail.com> <54791.131.175.154.56.1122457748.squirrel@131.175.154.56> <hbf.20050727aqjt@bombur.uio.no>
User-agent: SquirrelMail/1.4.3a-1

> Pierangelo Masarati writes:
>>>    (&(objectClass=person)(|(sn=*jere*)(cn=*jere*)(blahblah=*jere*))(mail=*))
>>>
>>> My problem is that if a particular entry does not contain each
>>> attribute (sn, cn, and blahblah) they will not get returned as a hit.
>>> The attribute "blahblah" is obviously a nonexistent attribute, but
>>> being inside an "OR" parenthesis group I would assume that wouldn't
>>> matter.
>
> So would I...
>
>> Your assumption is in contrast with the specifications of an LDAP
>> filter.
>> If "blahblah" is unknown to the DSA (i.e. it does not have a schema
>> specification), then the __entire__ OR filter evaluates to UNDEFINED,
>> according to draft-ietf-ldapbis-protocol.
>
> Huh?
> draft-ietf-ldapbis-protocol-31.txt, 4.5.1.7 SearchRequest.filter says:
>
>    A filter of the "or" choice is FALSE if all of
>    the filters in the SET OF evaluate to FALSE, TRUE if at least one
>    filter is TRUE, and Undefined otherwise.
>
> Think of UNDEFINED as "the server can't tell" in this context.  If
> anything else in the (|...) matches, then the server can tell that the
> filter matches whether or not the undefined component would match.

Again apologies.  Both Jeremiah and I wrote __OR__, but my mind was
erroneously thinking __AND__.  I definitely need to reboot.

In fact, OpenLDAP's slapd is correctly treating that filer as valid, and
returning data if any of the valid portions of the filter match:

[user@host]$ ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' -LLL
'(&(objectClass=person)(|(sn=*jense*)(cn=*jense*)(blahblah=*jense*))(mail=*))'
1.1
dn: cn=Barbara Jensen,ou=Information Technology
Division,ou=People,dc=example,
 dc=com

dn: cn=Bjorn Jensen,ou=Information Technology
Division,ou=People,dc=example,dc
 =com

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: LDAP Search: If filter contains nonexistant attribute, entry will not be returned as a 'hit'
  - From: Jeremiah Martell <inlovewithgod@gmail.com>

References:
- LDAP Search: If filter contains nonexistant attribute, entry will not be returned as a "hit"
  - From: Jeremiah Martell <inlovewithgod@gmail.com>
- Re: LDAP Search: If filter contains nonexistant attribute, entry will not be returned as a 'hit'
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: LDAP Search: If filter contains nonexistant attribute, entry will not be returned as a 'hit'
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: LDAP Search: If filter contains nonexistant attribute, entry will not be returned as a 'hit'
Next by Date: Re: Forcing start_tls on client connections?
Index(es):
- Chronological
- Thread