Re: Using a bitwise filter

[Pierangelo Masarati <masarati@aero.polimi.it>]

On 11/22/2011 10:47 AM, Michael Ströder wrote:
> W.Siebert@t-systems.com wrote:
> > (&(objectclass=user)(!(objectclass=Computer))(!(*UserAccountControl:1.2.840.113556.1.4.803:=2*)))
> >
> > If I connect AD server directly, all is OK, I get a search result. But sending
> > this search to Meta, does not work.
> >
> > *Log:*
> > slapd[22461]: conn=1004 op=3 SRCH base="dc=meta,dc=pov" scope=2 deref=2
> > filter="(&(?objectClass=user)(!(?objectClass=Computer))( *?=error* ))"
>
> First I'd try to add the object classes 'user' and 'computer' and the
> attribute type userAccountControl to the local OpenLDAP schema. See
> slapd-ldap(5) for a note about schema and filters.
>
> Not sure whether the non-existing matching rule 1.2.840.113556.1.4.803 can be
> used though. You cannot just declare matching rules in OpenLDAP's schema files.

Grepping the code, I see that integerBitAndMatch and integerBitOrMatch 
are implemented.  Perhaps the issue is that UserAccountControl is not 
defined; in any case, enumeration (its syntax, 2.5.5.9, according to 
<http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832%28v=vs.85%29.aspx>) 
is not defined.  Adding a syntax (or a matching rule) requires the 
corresponding pieces of code for validation and normalization, if 
required.  It's not a big deal as soon as the specification is available 
(and doable), but that's another business.

p.

--
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano