LDAP Extensible matching filter

Discussion in 'Active Directory' started by nmaier, Sep 23, 2009.

  1. nmaier

    nmaier Guest

    Hi,
    I have a customer who's AD has a custom schema. They have their users
    divided into different OUs based on geographical location. All the OUs
    are siblings and under the parent DC=Company,DC=Com. I'm needing to
    create a filter that searches only those OUs I care about. And I think
    I'm close, this is what I have so far...

    (&(ou:dn:=Region1)(objectClass=user))

    I'd like to be nearly 100% sure it's the correct filter before I have them
    try it. So I've been trying a similar filter on our out-of-the-box AD
    setup...

    (&(cn:dn:=Users)(objectClass=user))

    I'd expect to see all the users in the CN=Users container, but I receive
    no entries. I tried this filter as well...

    (ou:dn:=Users)

    And expected all objects in the CN=Users container, but only received the
    below results using ldp.exe:

    ***Searching...
    ldap_search_s(ld, "DC=company,DC=com", 2, "(cn:dn:=Users)", attrList, 0,
    &msg)
    Result <0>: (null)
    Matched DNs:
    Getting 2 entries:1> distinguishedName: CN=Users,CN=Builtin,DC=company,DC=com;

    From my understanding the :dn flag should match all of the Dn's
    components, but it only seems to be matching the first.

    Thanks for any help,
    Nate
     
    nmaier, Sep 23, 2009
    #1
    1. Advertisements

  2. nmaier

    Joe Kaplan Guest

    You can't scope a search to be part of a subtree. You either search the
    whole subtree or not.

    In terms of filtering, you cannot use a partial match (substring filter
    type) on any DN-syntax object. DNs can only be used in filters are exact
    matches or for testing presense with =*.

    So you probably can't do what you are trying to do the way you are trying
    it.

    To make something like this work, the only option is to have some attribute
    data on each object that you can match to. For example, if you had 3 of 6
    branches in a tree that you wanted to find objects under, the objects under
    each branch would need an attribute identifying them as part of that branch
    (like Region=Region1).

    Alternately, you can search each subtree separately and combine the results
    on the client.
     
    Joe Kaplan, Sep 23, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.