Solved

LDAP Search syntax for finding entries with multiple equal attributes

Posted on 2007-11-28
26
5,515 Views
Last Modified: 2013-12-24
Hi Experts,

I am moderately acquainted with the general syntax of LDAP search queries. However I don't seem to get my hands around how to do an LDAP search for entries that have two or more attributes of a certain name.

Take as an example the mini-LDIF in the code-snippet section. The user John Doe has two rights, namely "user" and "employer". It isn't hard to find any person with user and employer rights:

    (&(right=user)(right=employer))

however, I would like to find all users with two rights or more. One right would be easy:

    (right=*)

but that is not enough. Is there a way to query an LDAP directory for all persons that have two or more rights (or any other attribute for that matter)?

Any help is greatly appreciated.

Cheers,
-- Abel --
objectClass: person

cn: John Doe

sn: Doe

right: user

right: employer

Open in new window

0
Comment
Question by:abel
  • 15
  • 11
26 Comments
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20381917
Not natively since there's no operand or matching rule combinations that returns a count or one that returns TRUE based upon the number of values (only the value themselves.)

I'd suggest you use a simple script.  Note that the example I've provided uses a very popular and entirely free LDAP query tool available from http://joeware.net.  The script could look like this (the example provided functions per your requirements) -
@echo off
 

setlocal ENABLEDELAYEDEXPANSION
 

set attributeNAME=right

set attributeLENGTH=5

set hitTRIGGER=2
 

for /f "tokens=*" %%D in ('adfind -domain -f "%attributeNAME%=*" %attributeNAME% 2^>nul') do (

	set resultSTRING=%%D

	if /i "!resultSTRING:~0,3!"=="dn:" (

		if "!DNshown!"=="1" echo [!hitCOUNT!]

		set hitCOUNT=0

		set DNshown=0

		set objectDN=!resultSTRING:~3!

	)

	if /i "!resultSTRING:~1,%attributeLENGTH%!"=="%attributeNAME%" (

		set /a hitCOUNT+=1

		if !hitCOUNT! GEQ %hitTRIGGER% (

			if not "!dnSHOWN!"=="1" (

				set /p=!objectDN! <nul

				set DNshown=1

			)

		)

	)		

)

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20383190
That looks rather cool! Thanks (I was worrying that my question was unsolvable). This looks like a rather strong use of the MS DOS Batch Extensions, very nice.

I downloaded and tried the adfind tool, but couldn't get it to connect to my server. It either says "Server down" (81) or "Authentication method not supported" (7), the latter only when I do not provide a login+pwd on the commandline.

Maybe it isn't suitable for Sun Directory Server 5.2? Do you know of any settings I am missing? Here's the commandline I tried:

adfind -h sso.local-ldap.com:60945 -c -u uid=user4,dc=local,dc=com -p test -b dc=local-ldap,dc=com -f "uid=user4"

(as you can see, I login as a certain user and try to query that same user, but it doesn't work yet). Any ideas?

Cheers & Thanks,
-- Abel --
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383360
What does this return -

adfind -h sso.local-ldap.com:60945 -c -simple -u uid=user4,dc=local,dc=com -up test -b dc=local-ldap,dc=com -f "uid=user4"

... try it without the -simple as well.

PS - I believe you meant -up for the password value -- did you also want to return just the object count (-c) that met your filter?

PPS - I confess, I've become so blinkered by Active Directory, I forget to even consider the potential for other DSs ... ughhh, sorry 'bout that.
0
 
LVL 39

Author Comment

by:abel
ID: 20383445
Getting closer....

After an "No Such Object" (32) error (which usually means the userid is or dn is wrong), I now have an "Unavailable Critical Extension" error. In full, it looks as this (see snippet)

any further ideas? Using Apache Directory Studio, I can connect fine (but that doesn't have handy commandline tools).

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
 

Enter Password: ......

Using server: :60945
 

ldap_get_next_page_s: [] Error 0xc (12) - Unavailable Critical Extension
 

0 Objects returned

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20383452
PS: yes, it was my misinterpretation of the commandline explanations: using "-p" for "-up"....
0
 
LVL 39

Author Comment

by:abel
ID: 20383465
PPS: yes, the -c was on purpose, my first query looked like "uid=*" and I did not want the clutter, only the count.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383475
Hmmm ... that seems to indicate your DS can't handle paging, I find that hard to believe though.  Is that correct?  Try tacking a -d on for further debugging-related output.

In addition, if we circumvent this issue, add this switch on there ........ -dloid

... it may also be trying to make some smart decisions by enumerating the schema which will fail since ADfind is NOT a generic LDAP query tool like LDIFDE, it's written specifically for AD or ADAM ... so we'll see.
0
 
LVL 39

Author Comment

by:abel
ID: 20383528
Hmm, maybe you can make something of this, but it looks like we're getting at the end of our options here. "-dloid" gave just the same error. "-d" is below:
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
 

DEBUG: Opening TCP connection

DEBUG: In OpenLDAP... Params:

DEBUG:    Server:    sso.local-ldap.com

DEBUG:    SSL: 0

DEBUG:    Port:        60945

DEBUG:    Ref:       1

DEBUG:    V3:        1

DEBUG:    Anonymous: 0

DEBUG:    userdn: uid=test,dc=local-ldap,dc=com

DEBUG:    password: test

DEBUG:    Simple: 1

DEBUG:    LDAP_OPT_ENCRYPT: 0

DEBUG:    Delegation: 0

DEBUG:    Extended Error Info: 0

LDAP_OPTION: Version 3

LDAP_BIND: [sso.local-ldap.com] Successful

DEBUG: Gathering RootDSE

DEBUG: Entering CRootDSE...

DEBUG: Leaving CRootDSE.

DEBUG: RootDSE Completed

Using server: :60945
 

DEBUG: Initializing Search Paging...

DEBUG: Search Initialized...

DEBUG: Have valid Search Handle...

DEBUG: Retrieving Page...

DEBUG: Temp Page Size: 1000

DEBUG: Object Count: 0

ldap_get_next_page_s: [] Error 0xc (12) - Unavailable Critical Extension
 
 

0 Objects returned

Open in new window

0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383554
Nod, that looks like your DS doesn't support paging.  From AD or ADAM, I get this -

C:\>adfind -h light -rootdse | find /i "pag"

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

>supportedControl: 1.2.840.113556.1.4.319 [LDAP_PAGED_RESULT_OID_STRING]

... the LDAP control, though a Microsoft control, is the industry standard since they introduced paging.
0
 
LVL 39

Author Comment

by:abel
ID: 20383738
aha.. I don't know, you maybe right, of course. But perhaps it is the story explained here? http://forum.java.sun.com/thread.jspa?threadID=5201270

Unfortunately, I have to go (it is 18.40 and it's Friday, time for weekend ;). Do you think this is resolvable? Or is another tool useful with your solution?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383794
Nod, the script can be adapted readily enough.  It's just a matter of finding the tool to dump the data in the first place.  Perhaps if you formulate the LDIFDE syntax and throw it out an LDF file, I can adapt that script to fit.  Enjoy your weekend!
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20383812
PS  - I'd also suggest dumping the rootDSE and seeing if it supports the control I mentioned ealier ... the unavailable crit. extension isn't necessarily indicative of this particular issue.
0
 
LVL 39

Author Comment

by:abel
ID: 20401929
I tried to use ldapsearch, which I found in the shared/bin directory of the Sun DS installation folder. It seems to work just fine and outputs as LDIF, I believe. Can I use that with your scriptlet?

dn: cn=obsfUser,ou=manager,ou=myCompany,ou=myEnterprise,dc=local-ldap,dc=com

objectClass: top

objectClass: person

right: view-roles

right: edit-roled

right: manage-employers

Open in new window

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20402928
Hmmm ... I'm not in a convenient position to test it right now but, at first glance, it looks like you could substitute the ADfind syntax in the script with the ldapsearch equiv.  Post back the LDAPsearch syntax and I'll see how we can incorporate it.
0
 
LVL 39

Author Comment

by:abel
ID: 20403124
This is the line I use to call it, not really rocket science ;)

ldapsearch -b dc=local-ldap,dc=com -T -p 60945 -D uid=user4,dc=local-ldap,dc=com -w user4 "(rights=*)"

Where:
-b is Base DN
-T is non-wrapped output (every line is on one line)
-p is port
-h is host (default localhost)
-D is bind dn
-w is password
last part is the query string in RFC-2254 syntax.

Full documentation is here in case you need any: http://docs.sun.com/source/816-6400-10/lsearch.html#wp19539
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20403422
OK, is your attribute named 'right' or 'rights'?

Let's try this (I haven't tested it BTW) -
@echo off

 

setlocal ENABLEDELAYEDEXPANSION

 

set attributeNAME=rights

set attributeLENGTH=6

set hitTRIGGER=2

 

for /f "tokens=*" %%D in (ldapsearch -b dc=local-ldap,dc=com -T -p 60945 -D uid=user4,dc=local-ldap,dc=com -w user4 "(%attributeNAME%=*)" 2^>nul') do (

	set resultSTRING=%%D

	if /i "!resultSTRING:~0,3!"=="dn:" (

		if "!DNshown!"=="1" echo [!hitCOUNT!]

		set hitCOUNT=0

		set DNshown=0

		set objectDN=!resultSTRING:~3!

	)

	if /i "!resultSTRING:~1,%attributeLENGTH%!"=="%attributeNAME%" (

		set /a hitCOUNT+=1

		if !hitCOUNT! GEQ %hitTRIGGER% (

			if not "!dnSHOWN!"=="1" (

				set /p=!objectDN! <nul

				set DNshown=1

			)

		)

	)		

)

Open in new window

0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20403439
Dang, the attribute is 'right' not 'rights' I think.  Change lines 5 and 6 in the script accordingly to account for that.
0
 
LVL 39

Author Comment

by:abel
ID: 20411397
> OK, is your attribute named 'right' or 'rights'?

actually, it is in Dutch: "rechten". I translated (and obfuscated) the output and apparently I wasn't all too consistent. But I should be capable enough to adjust your script accordingly ;)

I tried your script and needed to make a few adjustments: quotes around the -b and -D parameters (otherwise DOS interprets the equal sign and the comma as spaces) and a starting single quote for the command.

Result: naught. I also tried with "objectClass" as attribute, because almost all entries have two or more objectclass attributes. I tested the output of the error (you direct it to NUL) but that didn't reveal anything (no errors). Any ideas where I should look?
@echo off

 

setlocal ENABLEDELAYEDEXPANSION

 

set attributeNAME=objectClass

set attributeLENGTH=11

set hitTRIGGER=2

 

for /f "tokens=*" %%D in ('ldapsearch -b "dc=local-ldap,dc=com" -T -p 60945 -D "uid=user4,dc=local-ldap,dc=com" -w user4 "(%attributeNAME%=*)" 2^>nul') do (

    set resultSTRING=%%D

    if /i "!resultSTRING:~0,3!"=="dn:" (

        if "!DNshown!"=="1" echo [!hitCOUNT!]

        set hitCOUNT=0

        set DNshown=0

        set objectDN=!resultSTRING:~3!

    )

    if /i "!resultSTRING:~1,%attributeLENGTH%!"=="%attributeNAME%" (

        set /a hitCOUNT+=1

        if !hitCOUNT! GEQ %hitTRIGGER% (

            if not "!dnSHOWN!"=="1" (

                set /p=!objectDN! <nul

                set DNshown=1

            )

        )

    )         

)

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20411420
PS: in case you ask: yes, the query works, if run separately it returns a lot (I tested with removing @echo off which gave me the expanded command string). It also runs for a very long time when set to objectClass, which is as expected, the server contains about 50.000 entries.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20411463
Remove the 'echo off' and alter the filter such that the return-set is minimized ... paste the entire content back here ...
0
 
LVL 39

Author Comment

by:abel
ID: 20412920
I tried it, but made a little mistake (I left the "=*" in place) and after an hour it hadn't yet finished.... (though any normal query using a dump runs in about 1 mins)

Changing it to a 1-resultset by using a uid, it gives the following output (pardon the length, but you asked for the whole bit).
C:\>for /F "tokens=*" %D in ('ldapsearch -b "dc=local-ldap,dc=com" -T -p 60945 -D "uid=user4,dc=local-ldap,dc=com" -w user4 "(uid=user4)" 2>nul') do (

set resultSTRING=%D

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=version: 1

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=dn: cn=Puser4,ou=usermanagers,ou=BIKECO LTD,ou=BIKECO NL,dc=local-ldap,dc=com

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=preflanguage: NL

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=stuurEmail: J

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=groepen: godusers

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=groepen: BHN WG Inzicht

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=groepen: BHN TP Inzicht

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=groepen: BHN TP Inzicht en mutatie

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=groepen: BHN WG Inzicht en mutatie

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=groepen: PPS basis AO

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=groepen: PPS beheerder

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=uid: user4

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=objectClass: top

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=objectClass: person

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=objectClass: persoon

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=geslacht: M

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=sn: Test

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=inlogLaatsteBezoek: 05-12-2007:15:41:31:263

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=userPassword: {SSHA}oVLe43puY5XXU3zrR+09E7rkNid/aJ9Y2kv0Eg==

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=rechten: Verloopstatistieken gebruiker

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=rechten: beheernet-gebruikerxx

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=rechten: userbeheer-usermanager

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=rechten: userbeheer-manager

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=rechten: userbeheer-directorymanager

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=rechten: userbeheer-configurationmanager

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=rechten: global-admin

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=email: test@test.nl

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=pwdDatumGewijzigd: 30-11-2007:14:15:58:768

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=cn: Puser4

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=pwdAantalDagenGeldig: 9999

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=inlogPogingenSucces: 23

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=inlogPogingenMax: 0

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=achternaam: Test

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=inlogPogingenFoutief: 0

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=pwdGeblokkeerd: N

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=initialen: P

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)
 

C:\>(

set resultSTRING=inlogVorigBezoek: 05-12-2007:15:39:53:450

 if /I "!resultSTRING:~0,3!" == "dn:" (

if "!DNshown!" == "1" echo [!hitCOUNT!]

 set hitCOUNT=0

 set DNshown=0

 set objectDN=!resultSTRING:~3!

)

 if /I "!resultSTRING:~1,user4!" == "uid" (

set /a hitCOUNT+=1

 if !hitCOUNT! GEQ 2 (if not "!dnSHOWN!" == "1" (

set /p=!objectDN!  0<nul

 set DNshown=1

) )

)

)

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20412960
Finally, here's the output from ldapsearch tool, so you can more easily compare the two.

Thanks very much for your help so far, I wouldn't have gotten even near this without your aid! :)
version: 1

dn: cn=Puser4,ou=usermanagers,ou=BIKECO LTD,ou=BIKECO NL,dc=local-ldap,dc=com

preflanguage: NL

stuurEmail: J

groepen: godusers

groepen: BHN WG Inzicht

groepen: BHN TP Inzicht

groepen: BHN TP Inzicht en mutatie

groepen: BHN WG Inzicht en mutatie

groepen: PPS basis AO

groepen: PPS beheerder

uid: user4

objectClass: top

objectClass: person

objectClass: persoon

geslacht: M

sn: Test

inlogLaatsteBezoek: 05-12-2007:15:41:31:263

userPassword: {SSHA}oVLe43puY5XXU3zrR+09E7rkNid/aJ9Y2kv0Eg==

rechten: Verloopstatistieken gebruiker

rechten: beheernet-gebruikerxx

rechten: userbeheer-usermanager

rechten: userbeheer-manager

rechten: userbeheer-directorymanager

rechten: userbeheer-configurationmanager

rechten: global-admin

email: test@test.nl

pwdDatumGewijzigd: 30-11-2007:14:15:58:768

cn: Puser4

pwdAantalDagenGeldig: 9999

inlogPogingenSucces: 23

inlogPogingenMax: 0

achternaam: Test

inlogPogingenFoutief: 0

pwdGeblokkeerd: N

initialen: P

inlogVorigBezoek: 05-12-2007:15:39:53:450

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20412987
FYI: I tried with "rechten" and with "objectClass". For the minimized resultset however, I needed to adjust the query, for any other query then one that results in only one resultset, it would've given a zillion lines of output... Which, in retro, makes the output above less useful, because the properties for the query are not set correctly...
0
 
LVL 9

Accepted Solution

by:
MSE-dwells earned 500 total points
ID: 20413698
Here you go, this worked for me.  Note, I've added a great many more operational constants at the top of the script, alter them accordingly -
@echo off

 

setlocal ENABLEDELAYEDEXPANSION
 

set hitTRIGGER=2
 

set attributeNAME=member

set attributeLENGTH=6
 

set bindDN=cn=administrator,cn=users,dc=mset,dc=lab

set bindPASSWORD=password

set hostDSA=10.254.254.1

set DSAport=389

set queryBASE=dc=mset,dc=lab

set chaseREFERRALSargs=-R

set querySCOPE=sub

 

for /f "tokens=*" %%D in ('ldapsearch -b "%queryBASE%" -h %hostDSA% %chaseREFERRALSargs% -p %DSAport% -s %querySCOPE% -D "%bindDN%" -w %bindPASSWORD% "(%attributeNAME%=*)" %attributeNAME% 2^>nul') do (

    set resultSTRING=%%D

    if /i "!resultSTRING:~0,3!"=="dn:" (

        if "!DNshown!"=="1" echo [!hitCOUNT!]

        set hitCOUNT=0

        set DNshown=0

        set objectDN=!resultSTRING:~3!

    )

    if /i "!resultSTRING:~0,%attributeLENGTH%!"=="%attributeNAME%" (

        set /a hitCOUNT+=1

        if !hitCOUNT! GEQ %hitTRIGGER% (

            if not "!dnSHOWN!"=="1" (

                set /p=!objectDN! <nul

                set DNshown=1

            )

        )

    )         

)

Open in new window

0
 
LVL 39

Author Comment

by:abel
ID: 20418353
WOW! This is invaluable, works like a charm, really :)))

I sure have to delve into MS DOS Batch files again, I thought I knew about their possibilities, but you surely showed a way of Batch programming I didn't know was possible (well, I knew, but didn't know it was so feasible).

Great work "MSE-dwells", triple ***AAA*** status for you :)
0
 
LVL 39

Author Closing Comment

by:abel
ID: 31411380
Thanks for all your efforts. The solution is self-explanatory. Two thumbs up!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now