Re: Filter syntax for attribute containing distinguished names

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 17 Jul 2000 07:55:12 CDT, Mark Wilcox wrote:
> If you look in the contrib directory of the perl-ldap distribution you'll find
> my group example code.
> 
> The filter looks like:
> member=uid=mewilcox,ou=people,dc=unt,dc=edu
> 
> or if you want wildcard
> member=uid=mewilcox,*
> 
> or
> member=*,ou=people,dc=unt,dc=edu
> 
> The tricky part to remember is that a member of the group could itself be
> another group!
> 
> Mark
> 
> "GLASSON,Michael" wrote:
> 
> > Is there any trick to writing a filter to search for entries whose 'member'
> > attribute has a particular value? That is, what does a filter to search for
> > a dn in an attribute look like? This has got me stumped (sorry, I'm
> > Australian) because I can retrieve records with '(member=*)', but not
> > '(member=c*)'. Further, this last case returns an error, rather than no
> > records.
> >
> > I have been trying to write a recursive walk in perl-ldap to give a tree
> > structured view of distribution lists in Exchange. To do this, I wanted to
> > find entries whose 'memberof' attribute contained the dn of the known root
> > of lists. So my problems have started.
> 
> 

The problem here is that you are trying to use an inappropriate 
matching rule in the directory.

Asking for (member=*) is OK - the directory uses the equality matching 
rule whichis defined for the member attribute.

Asking for (member=c*) is not OK - there is no defined substring 
matching rule for the member attribute. That's because the member 
values are *not* strings, but distinguished names. There is no 
substring matching rule for DNs, see RFC 2256 section 5.50.

What you have to do is get the results of (member=*) and then select 
the required results from the returned values. You need to do this 
using knowledge of the string representation of DNs defined in RFC 
2253, which is important because the same DN can have different string 
representations. So you need to perform some canonicalisation if you 
want to be correct.

Cheers,

Chris