Solved

LDAP Search syntax for finding entries with multiple equal attributes

Posted on 2007-11-28
26
5,580 Views
Last Modified: 2013-12-24
Hi Experts,

I am moderately acquainted with the general syntax of LDAP search queries. However I don't seem to get my hands around how to do an LDAP search for entries that have two or more attributes of a certain name.

Take as an example the mini-LDIF in the code-snippet section. The user John Doe has two rights, namely "user" and "employer". It isn't hard to find any person with user and employer rights:

    (&(right=user)(right=employer))

however, I would like to find all users with two rights or more. One right would be easy:

    (right=*)

but that is not enough. Is there a way to query an LDAP directory for all persons that have two or more rights (or any other attribute for that matter)?

Any help is greatly appreciated.

Cheers,
-- Abel --
objectClass: person
cn: John Doe
sn: Doe
right: user
right: employer

Open in new window

0
Comment
Question by:abel
  • 15
  • 11
26 Comments
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20381917
Not natively since there's no operand or matching rule combinations that returns a count or one that returns TRUE based upon the number of values (only the value themselves.)

I'd suggest you use a simple script.  Note that the example I've provided uses a very popular and entirely free LDAP query tool available from http://joeware.net.  The script could look like this (the example provided functions per your requirements) -
@echo off
 
setlocal ENABLEDELAYEDEXPANSION
 
set attributeNAME=right
set attributeLENGTH=5
set hitTRIGGER=2
 
for /f "tokens=*" %%D in ('adfind -domain -f "%attributeNAME%=*" %attributeNAME% 2^>nul') do (
	set resultSTRING=%%D
	if /i "!resultSTRING:~0,3!"=="dn:" (
		if "!DNshown!"=="1" echo [!hitCOUNT!]
		set hitCOUNT=0
		set DNshown=0
		set objectDN=!resultSTRING:~3!
	)
	if /i "!resultSTRING:~1,%attributeLENGTH%!"=="%attributeNAME%" (
		set /a hitCOUNT+=1
		if !hitCOUNT! GEQ %hitTRIGGER% (
			if not "!dnSHOWN!"=="1" (
				set /p=!objectDN! <nul
				set DNshown=1
			)
		)
	)		
)

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20383190
That looks rather cool! Thanks (I was worrying that my question was unsolvable). This looks like a rather strong use of the MS DOS Batch Extensions, very nice.

I downloaded and tried the adfind tool, but couldn't get it to connect to my server. It either says "Server down" (81) or "Authentication method not supported" (7), the latter only when I do not provide a login+pwd on the commandline.

Maybe it isn't suitable for Sun Directory Server 5.2? Do you know of any settings I am missing? Here's the commandline I tried:

adfind -h sso.local-ldap.com:60945 -c -u uid=user4,dc=local,dc=com -p test -b dc=local-ldap,dc=com -f "uid=user4"

(as you can see, I login as a certain user and try to query that same user, but it doesn't work yet). Any ideas?

Cheers & Thanks,
-- Abel --
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383360
What does this return -

adfind -h sso.local-ldap.com:60945 -c -simple -u uid=user4,dc=local,dc=com -up test -b dc=local-ldap,dc=com -f "uid=user4"

... try it without the -simple as well.

PS - I believe you meant -up for the password value -- did you also want to return just the object count (-c) that met your filter?

PPS - I confess, I've become so blinkered by Active Directory, I forget to even consider the potential for other DSs ... ughhh, sorry 'bout that.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 39

Author Comment

by:abel
ID: 20383445
Getting closer....

After an "No Such Object" (32) error (which usually means the userid is or dn is wrong), I now have an "Unavailable Critical Extension" error. In full, it looks as this (see snippet)

any further ideas? Using Apache Directory Studio, I can connect fine (but that doesn't have handy commandline tools).

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
 
Enter Password: ......
Using server: :60945
 
ldap_get_next_page_s: [] Error 0xc (12) - Unavailable Critical Extension
 
0 Objects returned

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20383452
PS: yes, it was my misinterpretation of the commandline explanations: using "-p" for "-up"....
0
 
LVL 39

Author Comment

by:abel
ID: 20383465
PPS: yes, the -c was on purpose, my first query looked like "uid=*" and I did not want the clutter, only the count.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383475
Hmmm ... that seems to indicate your DS can't handle paging, I find that hard to believe though.  Is that correct?  Try tacking a -d on for further debugging-related output.

In addition, if we circumvent this issue, add this switch on there ........ -dloid

... it may also be trying to make some smart decisions by enumerating the schema which will fail since ADfind is NOT a generic LDAP query tool like LDIFDE, it's written specifically for AD or ADAM ... so we'll see.
0
 
LVL 39

Author Comment

by:abel
ID: 20383528
Hmm, maybe you can make something of this, but it looks like we're getting at the end of our options here. "-dloid" gave just the same error. "-d" is below:
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
 
DEBUG: Opening TCP connection
DEBUG: In OpenLDAP... Params:
DEBUG:    Server:    sso.local-ldap.com
DEBUG:    SSL: 0
DEBUG:    Port:        60945
DEBUG:    Ref:       1
DEBUG:    V3:        1
DEBUG:    Anonymous: 0
DEBUG:    userdn: uid=test,dc=local-ldap,dc=com
DEBUG:    password: test
DEBUG:    Simple: 1
DEBUG:    LDAP_OPT_ENCRYPT: 0
DEBUG:    Delegation: 0
DEBUG:    Extended Error Info: 0
LDAP_OPTION: Version 3
LDAP_BIND: [sso.local-ldap.com] Successful
DEBUG: Gathering RootDSE
DEBUG: Entering CRootDSE...
DEBUG: Leaving CRootDSE.
DEBUG: RootDSE Completed
Using server: :60945
 
DEBUG: Initializing Search Paging...
DEBUG: Search Initialized...
DEBUG: Have valid Search Handle...
DEBUG: Retrieving Page...
DEBUG: Temp Page Size: 1000
DEBUG: Object Count: 0
ldap_get_next_page_s: [] Error 0xc (12) - Unavailable Critical Extension
 
 
0 Objects returned

Open in new window

0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383554
Nod, that looks like your DS doesn't support paging.  From AD or ADAM, I get this -

C:\>adfind -h light -rootdse | find /i "pag"

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

>supportedControl: 1.2.840.113556.1.4.319 [LDAP_PAGED_RESULT_OID_STRING]

... the LDAP control, though a Microsoft control, is the industry standard since they introduced paging.
0
 
LVL 39

Author Comment

by:abel
ID: 20383738
aha.. I don't know, you maybe right, of course. But perhaps it is the story explained here? http://forum.java.sun.com/thread.jspa?threadID=5201270

Unfortunately, I have to go (it is 18.40 and it's Friday, time for weekend ;). Do you think this is resolvable? Or is another tool useful with your solution?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383794
Nod, the script can be adapted readily enough.  It's just a matter of finding the tool to dump the data in the first place.  Perhaps if you formulate the LDIFDE syntax and throw it out an LDF file, I can adapt that script to fit.  Enjoy your weekend!
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383812
PS  - I'd also suggest dumping the rootDSE and seeing if it supports the control I mentioned ealier ... the unavailable crit. extension isn't necessarily indicative of this particular issue.
0
 
LVL 39

Author Comment

by:abel
ID: 20401929
I tried to use ldapsearch, which I found in the shared/bin directory of the Sun DS installation folder. It seems to work just fine and outputs as LDIF, I believe. Can I use that with your scriptlet?

dn: cn=obsfUser,ou=manager,ou=myCompany,ou=myEnterprise,dc=local-ldap,dc=com
objectClass: top
objectClass: person
right: view-roles
right: edit-roled
right: manage-employers

Open in new window

0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20402928
Hmmm ... I'm not in a convenient position to test it right now but, at first glance, it looks like you could substitute the ADfind syntax in the script with the ldapsearch equiv.  Post back the LDAPsearch syntax and I'll see how we can incorporate it.
0
 
LVL 39

Author Comment

by:abel
ID: 20403124
This is the line I use to call it, not really rocket science ;)

ldapsearch -b dc=local-ldap,dc=com -T -p 60945 -D uid=user4,dc=local-ldap,dc=com -w user4 "(rights=*)"

Where:
-b is Base DN
-T is non-wrapped output (every line is on one line)
-p is port
-h is host (default localhost)
-D is bind dn
-w is password
last part is the query string in RFC-2254 syntax.

Full documentation is here in case you need any: http://docs.sun.com/source/816-6400-10/lsearch.html#wp19539
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20403422
OK, is your attribute named 'right' or 'rights'?

Let's try this (I haven't tested it BTW) -
@echo off
 
setlocal ENABLEDELAYEDEXPANSION
 
set attributeNAME=rights
set attributeLENGTH=6
set hitTRIGGER=2
 
for /f "tokens=*" %%D in (ldapsearch -b dc=local-ldap,dc=com -T -p 60945 -D uid=user4,dc=local-ldap,dc=com -w user4 "(%attributeNAME%=*)" 2^>nul') do (
	set resultSTRING=%%D
	if /i "!resultSTRING:~0,3!"=="dn:" (
		if "!DNshown!"=="1" echo [!hitCOUNT!]
		set hitCOUNT=0
		set DNshown=0
		set objectDN=!resultSTRING:~3!
	)
	if /i "!resultSTRING:~1,%attributeLENGTH%!"=="%attributeNAME%" (
		set /a hitCOUNT+=1
		if !hitCOUNT! GEQ %hitTRIGGER% (
			if not "!dnSHOWN!"=="1" (
				set /p=!objectDN! <nul
				set DNshown=1
			)
		)
	)		
)

Open in new window

0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20403439
Dang, the attribute is 'right' not 'rights' I think.  Change lines 5 and 6 in the script accordingly to account for that.
0
 
LVL 39

Author Comment

by:abel
ID: 20411397
> OK, is your attribute named 'right' or 'rights'?

actually, it is in Dutch: "rechten". I translated (and obfuscated) the output and apparently I wasn't all too consistent. But I should be capable enough to adjust your script accordingly ;)

I tried your script and needed to make a few adjustments: quotes around the -b and -D parameters (otherwise DOS interprets the equal sign and the comma as spaces) and a starting single quote for the command.

Result: naught. I also tried with "objectClass" as attribute, because almost all entries have two or more objectclass attributes. I tested the output of the error (you direct it to NUL) but that didn't reveal anything (no errors). Any ideas where I should look?
@echo off
 
setlocal ENABLEDELAYEDEXPANSION
 
set attributeNAME=objectClass
set attributeLENGTH=11
set hitTRIGGER=2
 
for /f "tokens=*" %%D in ('ldapsearch -b "dc=local-ldap,dc=com" -T -p 60945 -D "uid=user4,dc=local-ldap,dc=com" -w user4 "(%attributeNAME%=*)" 2^>nul') do (
    set resultSTRING=%%D
    if /i "!resultSTRING:~0,3!"=="dn:" (
        if "!DNshown!"=="1" echo [!hitCOUNT!]
        set hitCOUNT=0
        set DNshown=0
        set objectDN=!resultSTRING:~3!
    )
    if /i "!resultSTRING:~1,%attributeLENGTH%!"=="%attributeNAME%" (
        set /a hitCOUNT+=1
        if !hitCOUNT! GEQ %hitTRIGGER% (
            if not "!dnSHOWN!"=="1" (
                set /p=!objectDN! <nul
                set DNshown=1
            )
        )
    )         
)

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20411420
PS: in case you ask: yes, the query works, if run separately it returns a lot (I tested with removing @echo off which gave me the expanded command string). It also runs for a very long time when set to objectClass, which is as expected, the server contains about 50.000 entries.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20411463
Remove the 'echo off' and alter the filter such that the return-set is minimized ... paste the entire content back here ...
0
 
LVL 39

Author Comment

by:abel
ID: 20412920
I tried it, but made a little mistake (I left the "=*" in place) and after an hour it hadn't yet finished.... (though any normal query using a dump runs in about 1 mins)

Changing it to a 1-resultset by using a uid, it gives the following output (pardon the length, but you asked for the whole bit).
C:\>for /F "tokens=*" %D in ('ldapsearch -b "dc=local-ldap,dc=com" -T -p 60945 -D "uid=user4,dc=local-ldap,dc=com" -w user4 "(uid=user4)" 2>nul') do (
set resultSTRING=%D
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=version: 1
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=dn: cn=Puser4,ou=usermanagers,ou=BIKECO LTD,ou=BIKECO NL,dc=local-ldap,dc=com
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=preflanguage: NL
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=stuurEmail: J
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=groepen: godusers
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=groepen: BHN WG Inzicht
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=groepen: BHN TP Inzicht
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=groepen: BHN TP Inzicht en mutatie
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=groepen: BHN WG Inzicht en mutatie
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=groepen: PPS basis AO
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=groepen: PPS beheerder
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=uid: user4
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=objectClass: top
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=objectClass: person
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=objectClass: persoon
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=geslacht: M
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=sn: Test
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=inlogLaatsteBezoek: 05-12-2007:15:41:31:263
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=userPassword: {SSHA}oVLe43puY5XXU3zrR+09E7rkNid/aJ9Y2kv0Eg==
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=rechten: Verloopstatistieken gebruiker
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=rechten: beheernet-gebruikerxx
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=rechten: userbeheer-usermanager
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=rechten: userbeheer-manager
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=rechten: userbeheer-directorymanager
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=rechten: userbeheer-configurationmanager
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=rechten: global-admin
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=email: test@test.nl
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=pwdDatumGewijzigd: 30-11-2007:14:15:58:768
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=cn: Puser4
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=pwdAantalDagenGeldig: 9999
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=inlogPogingenSucces: 23
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=inlogPogingenMax: 0
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=achternaam: Test
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=inlogPogingenFoutief: 0
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=pwdGeblokkeerd: N
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=initialen: P
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)
 
C:\>(
set resultSTRING=inlogVorigBezoek: 05-12-2007:15:39:53:450
 if /I "!resultSTRING:~0,3!" == "dn:" (
if "!DNshown!" == "1" echo [!hitCOUNT!]
 set hitCOUNT=0
 set DNshown=0
 set objectDN=!resultSTRING:~3!
)
 if /I "!resultSTRING:~1,user4!" == "uid" (
set /a hitCOUNT+=1
 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (
set /p=!objectDN!  0<nul
 set DNshown=1
) )
)
)

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20412960
Finally, here's the output from ldapsearch tool, so you can more easily compare the two.

Thanks very much for your help so far, I wouldn't have gotten even near this without your aid! :)
version: 1
dn: cn=Puser4,ou=usermanagers,ou=BIKECO LTD,ou=BIKECO NL,dc=local-ldap,dc=com
preflanguage: NL
stuurEmail: J
groepen: godusers
groepen: BHN WG Inzicht
groepen: BHN TP Inzicht
groepen: BHN TP Inzicht en mutatie
groepen: BHN WG Inzicht en mutatie
groepen: PPS basis AO
groepen: PPS beheerder
uid: user4
objectClass: top
objectClass: person
objectClass: persoon
geslacht: M
sn: Test
inlogLaatsteBezoek: 05-12-2007:15:41:31:263
userPassword: {SSHA}oVLe43puY5XXU3zrR+09E7rkNid/aJ9Y2kv0Eg==
rechten: Verloopstatistieken gebruiker
rechten: beheernet-gebruikerxx
rechten: userbeheer-usermanager
rechten: userbeheer-manager
rechten: userbeheer-directorymanager
rechten: userbeheer-configurationmanager
rechten: global-admin
email: test@test.nl
pwdDatumGewijzigd: 30-11-2007:14:15:58:768
cn: Puser4
pwdAantalDagenGeldig: 9999
inlogPogingenSucces: 23
inlogPogingenMax: 0
achternaam: Test
inlogPogingenFoutief: 0
pwdGeblokkeerd: N
initialen: P
inlogVorigBezoek: 05-12-2007:15:39:53:450

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20412987
FYI: I tried with "rechten" and with "objectClass". For the minimized resultset however, I needed to adjust the query, for any other query then one that results in only one resultset, it would've given a zillion lines of output... Which, in retro, makes the output above less useful, because the properties for the query are not set correctly...
0
 
LVL 9

Accepted Solution

by:
MSE-dwells earned 500 total points
ID: 20413698
Here you go, this worked for me.  Note, I've added a great many more operational constants at the top of the script, alter them accordingly -
@echo off
 
setlocal ENABLEDELAYEDEXPANSION
 
set hitTRIGGER=2
 
set attributeNAME=member
set attributeLENGTH=6
 
set bindDN=cn=administrator,cn=users,dc=mset,dc=lab
set bindPASSWORD=password
set hostDSA=10.254.254.1
set DSAport=389
set queryBASE=dc=mset,dc=lab
set chaseREFERRALSargs=-R
set querySCOPE=sub
 
for /f "tokens=*" %%D in ('ldapsearch -b "%queryBASE%" -h %hostDSA% %chaseREFERRALSargs% -p %DSAport% -s %querySCOPE% -D "%bindDN%" -w %bindPASSWORD% "(%attributeNAME%=*)" %attributeNAME% 2^>nul') do (
    set resultSTRING=%%D
    if /i "!resultSTRING:~0,3!"=="dn:" (
        if "!DNshown!"=="1" echo [!hitCOUNT!]
        set hitCOUNT=0
        set DNshown=0
        set objectDN=!resultSTRING:~3!
    )
    if /i "!resultSTRING:~0,%attributeLENGTH%!"=="%attributeNAME%" (
        set /a hitCOUNT+=1
        if !hitCOUNT! GEQ %hitTRIGGER% (
            if not "!dnSHOWN!"=="1" (
                set /p=!objectDN! <nul
                set DNshown=1
            )
        )
    )         
)

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20418353
WOW! This is invaluable, works like a charm, really :)))

I sure have to delve into MS DOS Batch files again, I thought I knew about their possibilities, but you surely showed a way of Batch programming I didn't know was possible (well, I knew, but didn't know it was so feasible).

Great work "MSE-dwells", triple ***AAA*** status for you :)
0
 
LVL 39

Author Closing Comment

by:abel
ID: 31411380
Thanks for all your efforts. The solution is self-explanatory. Two thumbs up!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question