Re: Inappropriate matching

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

The filter (member=cn=foo*) is Undefined.  'member' does
not have a substring matching rule.  There is no substring
matching rule for distinguished names.

No entry should match this filter.

An LDAPv3 server *should* likely not return the result
of inappropriate matching, but return success with no
entries.  The fact that this did not occur leads me to
believe the server is an LDAPv2 server or is flawed.

Kurt

At 02:04 PM 12/8/00 +0200, Richard Ellerbrock wrote:
>I am trying to find out if a cn is part of a group using a search as follows:
>
>ldapsearch -h ldapnds -b "cn=Multiple login Admin,ou=ITD,ou=MPK,ou=GT,o=ESKOM" "member=cn=ellerbrR*"
>
>The group looks as follows:
>
>cn=Multiple Login Admin,ou=ITD,ou=MPK,ou=GT,o=ESKOM
>objectClass=top
>objectClass=groupOfNames
>revision=198
>member=cn=EllerbrR,ou=ITD,ou=MPK,ou=GT,o=ESKOM
>member=cn=SchuttAC,ou=ITD,ou=MPK,ou=GT,o=ESKOM
>member=cn=FisherB,ou=ITS,ou=NGY,ou=KN,o=DSNET
>member=cn=MienieP,ou=ITD,ou=MPK,ou=GT,o=ESKOM
>member=cn=GroeneGM,ou=ITD,ou=MPK,ou=GT,o=ESKOM
>member=cn=GrpWise,ou=MPK,ou=GT,o=ESKOM
>cn=Multiple Login Admin
>
>When I do a partial search as above, I get "ldap_search: Inappropriate matching" back from ldap. Is there any particular reason why you cannot do a partial match against a member? If I use a full DN, all works fine.
>
>Or, alternatively, what is the correct search syntax to find out if a cn is a member of a group. Maybe such a search does not make sense as the cn may not be unique.
>
>--
>Richard Ellerbrock
>richarde@eskom.co.za