[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Search with wildcard



Alessandro Lasmar Mourao wrote:
> I have the following structure in my OpenLDAP:
> 
> ou = groups
> |_cn = system1
> | | _cn = Group1
> | | _cn = Group2
> |_cn = system2
>   | _cn = Group1
>   | _cn = Group2
> 
> I need to perform a search and return only users who are registered on system1, regardless of the registered group.
> When I use the search with the filter: memberOf=cn=*,cn=system1,ou=groups nothing is returned.
> How do I perform this search in OpenLDAP?

Attribute 'memberOf' is of LDAP syntax DistinguishedName. Therefore the SUBSTR
matching rule for DirectoryString syntax does not apply.

You could use this filter:

  (memberOf:dnSubordinateMatch:=cn=system1,ou=groups)

Not exactly the same since it does not assert the group entry RDN being 'cn'
but it matches your textual description.

> In search Oracle SJDS works!

Is Oracle SJDS yet another LDAP server product name for the former Sun product
or Oracle's OID?

If the search with memberOf=cn=*,cn=system1,ou=groups works there they do not
implement proper DN syntax checking and matching rules and simply apply e.g.
the DirectoryString SUBSTR matching rule or whatever. That's convenient for
lazy programmers but is not compliant to RFC 4517. A typical behaviour of
Sun's DSSE up to 6.x.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature