LDAP Search syntax for finding entries with multiple equal attributes : ldap, search, syntax

May 17, 2008 02:33am pdt

1. Chris-Dent 7,950
2. Nopius 4,350
3. JimboEfx 3,000
4. ahoffmann 2,500
5. SysExpert 2,000
5. msghaleb 2,000
5. vs1784 2,000
5. merowinger 2,000
5. shasunder 2,000
5. maxis2cute 2,000
5. PeteJThomas 2,000
5. nfmartins 2,000
5. viperman... 2,000
5. Darylx 2,000
5. Paka 2,000
5. PeteLong 2,000
5. mankowitz 2,000
5. noci 2,000

1. Chris-Dent 10,950
2. Nopius 9,850
3. toniur 6,000
3. rama_kri... 6,000
5. sirbounty 3,635
6. farhankazi 3,500
7. tmassa99 3,000
7. JimboEfx 3,000
9. LauraEHu... 2,750
10. ahoffmann 2,500
10. HonorGod 2,500
12. RobSampson 2,300
13. nfmartins 2,000
13. objects 2,000
13. ravs 2,000
13. SysExpert 2,000
13. bbao 2,000
13. veedar 2,000
13. merowinger 2,000
13. PeteLong 2,000
13. mankowitz 2,000
13. noci 2,000
13. msghaleb 2,000
13. Kate12 2,000
13. frashii 2,000
13. kbratton1 2,000
13. vs1784 2,000
13. Darylx 2,000
13. maxis2cute 2,000
13. PeteJThomas 2,000
13. shasunder 2,000
13. MSE-dwells 2,000
13. jcoombes 2,000
13. bahmane 2,000
13. Pber 2,000
13. Paka 2,000
13. alextoft 2,000
13. BigSchmuh 2,000
13. viperman... 2,000

11.28.2007 at 01:21AM PST, ID: 22987037

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

4.6

LDAP Search syntax for finding entries with multiple equal attributes

Zones: Lightweight Directory Access Protocol (LDAP), Windows 2000 Active Directory, Windows 2003 Active Directory

Tags: ldap, search, syntax

Hi Experts,

I am moderately acquainted with the general syntax of LDAP search queries. However I don't seem to get my hands around how to do an LDAP search for entries that have two or more attributes of a certain name.

Take as an example the mini-LDIF in the code-snippet section. The user John Doe has two rights, namely "user" and "employer". It isn't hard to find any person with user and employer rights:

(&(right=user)(right=employer))

however, I would like to find all users with two rights or more. One right would be easy:

(right=*)

but that is not enough. Is there a way to query an LDAP directory for all persons that have two or more rights (or any other attribute for that matter)?

Any help is greatly appreciated.

Cheers,
-- Abel --

         
             objectClass: person
cn: John Doe
sn: Doe
right: user
right: employer

Start your free trial to view this solution

Question Stats

Zone: Database

Question Asked By: abel

Solution Provided By: MSE-dwells

Participating Experts: 1

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

11.30.2007 at 06:01AM PST, ID: 20381917

Rank: Master

MSE-dwells:

Not natively since there's no operand or matching rule combinations that returns a count or one that returns TRUE based upon the number of values (only the value themselves.)

I'd suggest you use a simple script. Note that the example I've provided uses a very popular and entirely free LDAP query tool available from http://joeware.net. The script could look like this (the example provided functions per your requirements) -

                       
                          
                             
                             
                                @echo off
 
setlocal ENABLEDELAYEDEXPANSION
 
set attributeNAME=right
set attributeLENGTH=5
set hitTRIGGER=2
 
for /f "tokens=*" %%D in ('adfind -domain -f "%attributeNAME%=*" %attributeNAME% 2^>nul') do (
	set resultSTRING=%%D
	if /i "!resultSTRING:~0,3!"=="dn:" (
		if "!DNshown!"=="1" echo [!hitCOUNT!]
		set hitCOUNT=0
		set DNshown=0
		set objectDN=!resultSTRING:~3!
	)
	if /i "!resultSTRING:~1,%attributeLENGTH%!"=="%attributeNAME%" (
		set /a hitCOUNT+=1
		if !hitCOUNT! GEQ %hitTRIGGER% (
			if not "!dnSHOWN!"=="1" (
				set /p=!objectDN! <nul
				set DNshown=1
			)
		)
	)		
)
                             
                          

                    

Open in New Window

11.30.2007 at 08:29AM PST, ID: 20383190

abel:

That looks rather cool! Thanks (I was worrying that my question was unsolvable). This looks like a rather strong use of the MS DOS Batch Extensions, very nice.

I downloaded and tried the adfind tool, but couldn't get it to connect to my server. It either says "Server down" (81) or "Authentication method not supported" (7), the latter only when I do not provide a login+pwd on the commandline.

Maybe it isn't suitable for Sun Directory Server 5.2? Do you know of any settings I am missing? Here's the commandline I tried:

adfind -h sso.local-ldap.com:60945 -c -u uid=user4,dc=local,dc=com -p test -b dc=local-ldap,dc=com -f "uid=user4"

(as you can see, I login as a certain user and try to query that same user, but it doesn't work yet). Any ideas?

Cheers & Thanks,
-- Abel --

11.30.2007 at 08:47AM PST, ID: 20383360

Rank: Master

MSE-dwells:

What does this return -

adfind -h sso.local-ldap.com:60945 -c -simple -u uid=user4,dc=local,dc=com -up test -b dc=local-ldap,dc=com -f "uid=user4"

... try it without the -simple as well.

PS - I believe you meant -up for the password value -- did you also want to return just the object count (-c) that met your filter?

PPS - I confess, I've become so blinkered by Active Directory, I forget to even consider the potential for other DSs ... ughhh, sorry 'bout that.

11.30.2007 at 09:00AM PST, ID: 20383445

abel:

Getting closer....

After an "No Such Object" (32) error (which usually means the userid is or dn is wrong), I now have an "Unavailable Critical Extension" error. In full, it looks as this (see snippet)

any further ideas? Using Apache Directory Studio, I can connect fine (but that doesn't have handy commandline tools).

                       
                                AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
 
Enter Password: ......
Using server: :60945
 
ldap_get_next_page_s: [] Error 0xc (12) - Unavailable Critical Extension
 
0 Objects returned

Open in New Window

11.30.2007 at 09:01AM PST, ID: 20383452

abel:

PS: yes, it was my misinterpretation of the commandline explanations: using "-p" for "-up"....

11.30.2007 at 09:03AM PST, ID: 20383465

abel:

PPS: yes, the -c was on purpose, my first query looked like "uid=*" and I did not want the clutter, only the count.

11.30.2007 at 09:04AM PST, ID: 20383475

Rank: Master

MSE-dwells:

Hmmm ... that seems to indicate your DS can't handle paging, I find that hard to believe though. Is that correct? Try tacking a -d on for further debugging-related output.

In addition, if we circumvent this issue, add this switch on there ........ -dloid

... it may also be trying to make some smart decisions by enumerating the schema which will fail since ADfind is NOT a generic LDAP query tool like LDIFDE, it's written specifically for AD or ADAM ... so we'll see.

11.30.2007 at 09:14AM PST, ID: 20383528

abel:

Hmm, maybe you can make something of this, but it looks like we're getting at the end of our options here. "-dloid" gave just the same error. "-d" is below:

                       
                          
                             
                             
                                AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
 
DEBUG: Opening TCP connection
DEBUG: In OpenLDAP... Params:
DEBUG:    Server:    sso.local-ldap.com
DEBUG:    SSL: 0
DEBUG:    Port:        60945
DEBUG:    Ref:       1
DEBUG:    V3:        1
DEBUG:    Anonymous: 0
DEBUG:    userdn: uid=test,dc=local-ldap,dc=com
DEBUG:    password: test
DEBUG:    Simple: 1
DEBUG:    LDAP_OPT_ENCRYPT: 0
DEBUG:    Delegation: 0
DEBUG:    Extended Error Info: 0
LDAP_OPTION: Version 3
LDAP_BIND: [sso.local-ldap.com] Successful
DEBUG: Gathering RootDSE
DEBUG: Entering CRootDSE...
DEBUG: Leaving CRootDSE.
DEBUG: RootDSE Completed
Using server: :60945
 
DEBUG: Initializing Search Paging...
DEBUG: Search Initialized...
DEBUG: Have valid Search Handle...
DEBUG: Retrieving Page...
DEBUG: Temp Page Size: 1000
DEBUG: Object Count: 0
ldap_get_next_page_s: [] Error 0xc (12) - Unavailable Critical Extension
 
 
0 Objects returned

                             
                          

                    

Open in New Window

11.30.2007 at 09:17AM PST, ID: 20383554

Rank: Master

MSE-dwells:

Nod, that looks like your DS doesn't support paging. From AD or ADAM, I get this -

C:\>adfind -h light -rootdse | find /i "pag"

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

>supportedControl: 1.2.840.113556.1.4.319 [LDAP_PAGED_RESULT_OID_STRING]

... the LDAP control, though a Microsoft control, is the industry standard since they introduced paging.

11.30.2007 at 09:41AM PST, ID: 20383738

abel:

aha.. I don't know, you maybe right, of course. But perhaps it is the story explained here? http://forum.java.sun.com/thread.jspa?threadID=5201270

Unfortunately, I have to go (it is 18.40 and it's Friday, time for weekend ;). Do you think this is resolvable? Or is another tool useful with your solution?

11.30.2007 at 09:49AM PST, ID: 20383794

Rank: Master

MSE-dwells:

Nod, the script can be adapted readily enough. It's just a matter of finding the tool to dump the data in the first place. Perhaps if you formulate the LDIFDE syntax and throw it out an LDF file, I can adapt that script to fit. Enjoy your weekend!

11.30.2007 at 09:51AM PST, ID: 20383812

Rank: Master

MSE-dwells:

PS - I'd also suggest dumping the rootDSE and seeing if it supports the control I mentioned ealier ... the unavailable crit. extension isn't necessarily indicative of this particular issue.

12.04.2007 at 02:27AM PST, ID: 20401929

abel:

I tried to use ldapsearch, which I found in the shared/bin directory of the Sun DS installation folder. It seems to work just fine and outputs as LDIF, I believe. Can I use that with your scriptlet?

                       
                                dn: cn=obsfUser,ou=manager,ou=myCompany,ou=myEnterprise,dc=local-ldap,dc=com
objectClass: top
objectClass: person
right: view-roles
right: edit-roled
right: manage-employers

Open in New Window

12.04.2007 at 06:25AM PST, ID: 20402928

Rank: Master

MSE-dwells:

Hmmm ... I'm not in a convenient position to test it right now but, at first glance, it looks like you could substitute the ADfind syntax in the script with the ldapsearch equiv. Post back the LDAPsearch syntax and I'll see how we can incorporate it.

12.04.2007 at 06:47AM PST, ID: 20403124

abel:

This is the line I use to call it, not really rocket science ;)

ldapsearch -b dc=local-ldap,dc=com -T -p 60945 -D uid=user4,dc=local-ldap,dc=com -w user4 "(rights=*)"

Where:
-b is Base DN
-T is non-wrapped output (every line is on one line)
-p is port
-h is host (default localhost)
-D is bind dn
-w is password
last part is the query string in RFC-2254 syntax.

Full documentation is here in case you need any: http://docs.sun.com/source/816-6400-10/lsearch.html#wp19539

12.04.2007 at 07:19AM PST, ID: 20403422

Rank: Master

MSE-dwells:

OK, is your attribute named 'right' or 'rights'?

Let's try this (I haven't tested it BTW) -

                       
                          
                             
                             
                                @echo off
 
setlocal ENABLEDELAYEDEXPANSION
 
set attributeNAME=rights
set attributeLENGTH=6
set hitTRIGGER=2
 
for /f "tokens=*" %%D in (ldapsearch -b dc=local-ldap,dc=com -T -p 60945 -D uid=user4,dc=local-ldap,dc=com -w user4 "(%attributeNAME%=*)" 2^>nul') do (
	set resultSTRING=%%D
	if /i "!resultSTRING:~0,3!"=="dn:" (
		if "!DNshown!"=="1" echo [!hitCOUNT!]
		set hitCOUNT=0
		set DNshown=0
		set objectDN=!resultSTRING:~3!
	)
	if /i "!resultSTRING:~1,%attributeLENGTH%!"=="%attributeNAME%" (
		set /a hitCOUNT+=1
		if !hitCOUNT! GEQ %hitTRIGGER% (
			if not "!dnSHOWN!"=="1" (
				set /p=!objectDN! <nul
				set DNshown=1
			)
		)
	)		
)

                             
                          

                    

Open in New Window

12.04.2007 at 07:20AM PST, ID: 20403439

Rank: Master

MSE-dwells:

Dang, the attribute is 'right' not 'rights' I think. Change lines 5 and 6 in the script accordingly to account for that.

12.05.2007 at 06:28AM PST, ID: 20411397

abel:

> OK, is your attribute named 'right' or 'rights'?

actually, it is in Dutch: "rechten". I translated (and obfuscated) the output and apparently I wasn't all too consistent. But I should be capable enough to adjust your script accordingly ;)

I tried your script and needed to make a few adjustments: quotes around the -b and -D parameters (otherwise DOS interprets the equal sign and the comma as spaces) and a starting single quote for the command.

Result: naught. I also tried with "objectClass" as attribute, because almost all entries have two or more objectclass attributes. I tested the output of the error (you direct it to NUL) but that didn't reveal anything (no errors). Any ideas where I should look?

                       
                          
                             
                             
                                @echo off
 
setlocal ENABLEDELAYEDEXPANSION
 
set attributeNAME=objectClass
set attributeLENGTH=11
set hitTRIGGER=2
 
for /f "tokens=*" %%D in ('ldapsearch -b "dc=local-ldap,dc=com" -T -p 60945 -D "uid=user4,dc=local-ldap,dc=com" -w user4 "(%attributeNAME%=*)" 2^>nul') do (
    set resultSTRING=%%D
    if /i "!resultSTRING:~0,3!"=="dn:" (
        if "!DNshown!"=="1" echo [!hitCOUNT!]
        set hitCOUNT=0
        set DNshown=0
        set objectDN=!resultSTRING:~3!
    )
    if /i "!resultSTRING:~1,%attributeLENGTH%!"=="%attributeNAME%" (
        set /a hitCOUNT+=1
        if !hitCOUNT! GEQ %hitTRIGGER% (
            if not "!dnSHOWN!"=="1" (
                set /p=!objectDN! <nul
                set DNshown=1
            )
        )
    )         
)

                             
                          

                    

Open in New Window

12.05.2007 at 06:31AM PST, ID: 20411420

abel:

PS: in case you ask: yes, the query works, if run separately it returns a lot (I tested with removing @echo off which gave me the expanded command string). It also runs for a very long time when set to objectClass, which is as expected, the server contains about 50.000 entries.

12.05.2007 at 06:35AM PST, ID: 20411463

Rank: Master

MSE-dwells:

Remove the 'echo off' and alter the filter such that the return-set is minimized ... paste the entire content back here ...

12.05.2007 at 08:55AM PST, ID: 20412920

abel:

I tried it, but made a little mistake (I left the "=*" in place) and after an hour it hadn't yet finished.... (though any normal query using a dump runs in about 1 mins)

Changing it to a 1-resultset by using a uid, it gives the following output (pardon the length, but you asked for the whole bit).

                       
                          
                             
                                1:





































































































































































































































































































































































































































































































































































































































































                             
                             
                                C:\>for /F "tokens=*" %D in ('ldapsearch -b "dc=local-ldap,dc=com" -T -p 60945 -D "uid=user4,dc=local-ldap,dc=com" -w user4 "(uid=user4)" 2>nul') do (
set resultSTRING=%D
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!result