On Mon, 17 Jul 2000 07:55:12 CDT, Mark Wilcox wrote:
> If you look in the contrib directory of the perl-ldap distribution you'll find
> my group example code.
>
> The filter looks like:
> member=uid=mewilcox,ou=people,dc=unt,dc=edu
>
> or if you want wildcard
> member=uid=mewilcox,*
>
> or
> member=*,ou=people,dc=unt,dc=edu
>
> The tricky part to remember is that a member of the group could itself be
> another group!
>
> Mark
>
> "GLASSON,Michael" wrote:
>
> > Is there any trick to writing a filter to search for entries whose 'member'
> > attribute has a particular value? That is, what does a filter to search for
> > a dn in an attribute look like? This has got me stumped (sorry, I'm
> > Australian) because I can retrieve records with '(member=*)', but not
> > '(member=c*)'. Further, this last case returns an error, rather than no
> > records.
> >
> > I have been trying to write a recursive walk in perl-ldap to give a tree
> > structured view of distribution lists in Exchange. To do this, I wanted to
> > find entries whose 'memberof' attribute contained the dn of the known root
> > of lists. So my problems have started.
>
>
The problem here is that you are trying to use an inappropriate
matching rule in the directory.
Asking for (member=*) is OK - the directory uses the equality matching
rule whichis defined for the member attribute.
Asking for (member=c*) is not OK - there is no defined substring
matching rule for the member attribute. That's because the member
values are *not* strings, but distinguished names. There is no
substring matching rule for DNs, see RFC 2256 section 5.50.
What you have to do is get the results of (member=*) and then select
the required results from the returned values. You need to do this
using knowledge of the string representation of DNs defined in RFC
2253, which is important because the same DN can have different string
representations. So you need to perform some canonicalisation if you
want to be correct.
Cheers,
Chris
|
