Reputation: 18591
LDAP filter for blank (empty) attribute
I have searched on this topic, but all I find are filters that return entries where a certain attribute is not present, like:
(!(manager=*))
However, I want to find entries where the attribute is present, but has a null value (i.e. an empty/blank string). Can I do this using an LDAP filter, and if so, how?
EDIT:
Just to confirm, the above filter finds entries without the attribute, but not where the attribute is empty (null string).
Is this dependent on the LDAP implementation or what?
Upvotes: 42
Views: 166923
Answers (7)
Reputation: 5
You have to negate matching the wildcard * (any value) :
(&(objectCategory=computer)(whenCreated>=20160101000000.0Z)(!description=*))
From Microsoft's LDAP Query Basics:
The ! operator in conjunction with the wildcard operator will look for objects where that attribute is not set to anything.
Upvotes: 0
Reputation: 39
I needed to do a query to get me all groups with a managedBy value set (not empty) and this gave some nice results:
(!(!managedBy=*))
Upvotes: 3
Reputation: 119
This article http://technet.microsoft.com/en-us/library/ee198810.aspx led me to the solution. The only change is the placement of the exclamation mark.
(!manager=*)
It seems to be working just as wanted.
Upvotes: 11
Reputation: 741
Search for a null value by using \00
For example:
ldapsearch -D cn=admin -w pass -s sub -b ou=users,dc=acme 'manager=\00' uid manager
Make sure if you use the null value on the command line to use quotes around it to prevent the OS shell from sending a null character to LDAP. For example, this won't work:
ldapsearch -D cn=admin -w pass -s sub -b ou=users,dc=acme manager=\00 uid manager
There are various sites that reference this, along with other special characters. Example:
- http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
- http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx
Upvotes: 10
Reputation: 11134
The schema definition for an attribute determines whether an attribute must have a value. If the manager attribute in the example given is the attribute defined in RFC4524 with OID 0.9.2342.19200300.100.1.10, then that attribute has DN syntax. DN syntax is a sequence of relative distinguished names and must not be empty. The filter given in the example is used to cause the LDAP directory server to return only entries that do not have a manager attribute to the LDAP client in the search result.
Upvotes: 2
Reputation: 10986
From LDAP, there is not a query method to determine an empty string.
The best practice would be to scrub your data inputs to LDAP as an empty or null value in LDAP is no value at all.
To determine this you would need to query for all with a value (manager=*) and then use code to determine the ones that were a "space" or null value.
And as Terry said, storing an empty or null value in an attribute of DN syntax is wrong.
Some LDAP server implementations will not permit entering a DN where the DN entry does not exist.
Perhaps, you could, if your DN's are consistent, use something like:
(&(!(manager=cn*))(manager=*))
This should return any value of manager where there was a value for manager and it did not start with "cn".
However, some LDAP implementations will not allow sub-string searches on DN syntax attributes.
-jim
Upvotes: 31
Reputation: 310884
Semantically there is no difference between these cases in LDAP.
Upvotes: 3
Related Questions
- Filtering returned LDAP attributes by value
- Filtering LDAP returned attributes
- How to exclude value without excluding blanks?
- LDAP Filter memberof
- Ldap filter for attribute that may not exist
- Search user with empty attributes
- How to filter null or empty attributes from an Active Directory Query
- LDAP Query Handle empty attitributes
- How I use a "NOT" operator in the ldap filter
- How can I formulate an ldap query looking for the absence of an attribute