[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP filter question



Hi,

I'm having problems finding documentation for range filters.
Can someone explain to me how to use a range filter on shadowExpire?

From nis.schema:
attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
so it's an integer value.

from my slapd.conf (openldap 2.3.38):
index shadowExpire pres,eq

I'd like to find entries where either shadowExpire is not present, or 
shadowExpire is present and greater than or equal to X.

# ldapsearch -x '(&(objectclass=shadowaccount)(shadowexpire=*))' dn
returns 978 entries.

# ldapsearch -x '(&(objectclass=shadowaccount)(!(shadowexpire=*)))' dn
returns 311 entries.

But:
# ldapsearch -x '(&(objectclass=shadowaccount)(shadowexpire>1000))' dn
gives me ldap_search_ext: Bad search filter (-7)
and
# ldapsearch -x '(&(objectclass=shadowaccount)(shadowexpire>=1000))' dn
returns no results.

At least one entry has shadowExpire > 1000:
# ldapsearch -x -LLL uid=toni objectclass shadowexpire
dn: cn=Batovanja Antonio,ou=People,ou=EDV Zentrale,dc=humanomed,dc=at
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: hmUserExtention
objectClass: organizationalPerson
shadowExpire: 20000

My final filter should be
(|(shadowExpire=0)(shadowExpire>=14910)(!(shadowExpire=*)))
but that's not working

What am I doing wrong?

Cheers,
Toni