Reputation: 11
LDAP: how to create search filters for nested attributes and values?
I understand how to create ldap search filters based on simple attriburtes, e.g.
(&(objectClass=universityPerson)(surname=Smith*))
will return a nice list of university people whose last names start with 'Smith'. So far so good!
In our university LDAP schema, people have a number of custom attributes or sub-objects that have a structure like
graduateStatus: {campus=CAMPUS_CODE}:{degSchool=SCHOOL_CODE}:{classYr=YYYY}
or
universityHR:
{jobCategory=Staff}:
{campus=CAMPUS_CODE}:
{deptId=999999}:
{deptGroup=COLLEGE_BUSINESS}:
{deptDescription=Business Library}:
{deptVicePresidentArea=PROVOST}:
{jobcode=123456}:
{jobFamily=123}:
{emplStatus=A}:
{regTemp=R}
It would be very useful to make LDAP queries to answer questions like:
- "Who are the people who graduated from the Business College in classYr=1995?"
- "Who are all the staff at the Nursing School with jobCode=456789?"
- "Who are the temporary staff on the main campus where jobFamily=789?"
I'd like to be able to create ldap search filters referring to those sub-attributes, something like:
(&(objectClass=universityPerson)(graduateStatus.campus=BUS)(graduateStatus.classYr=1995))
or
(&(objectClass=universityPerson)(universityHR.regTemp=T)(universityHR.jobFamily=789))
but I can't figure out if this is possible, let alone what the syntax might be.
I suspect that this is not a good use case for LDAP, and that I should look for answers to such questions in other enterprise systems. Yet it would be very convenient to use the enterprise directory as something more than a glorified phone book.
Digging through OpenLDAP.org and ldapsearch docs for various distros has not led to an answer. Anytime I look for something about nested attributes or hierarchy, I find tons of documents about nested groups and membership queries, but that's not the question here.
Many thanks for any advice.
Upvotes: 1
Views: 2489
Answers (1)
Reputation: 1815
Without modifying the structure of your data, the only way I could see with OpenLDAP is to develop an overlay which could allow you to do this kind of request, but it will not be an easy task ;)
If you are alright with modifying the structure of your data OR duplicate (and maintain the integrity) of certain data, you can expand these attributes in groups of users.
The requests will be to find users which are part of multiple groups at the same time.
For example : (&(objectClass=universityPerson)(universityHR.regTemp=T)(universityHR.jobFamily=789))
Could be :
(&(objectClass=universityPerson)(memberOf=cn=T,ou=regTemp,ou=universityHR,ou=group,dc=example,dc=com)(memberOf=uid=789,ou=jobFamily,ou=universityHR,ou=group,dc=example,dc=com))
With a tree like :
dc=example,dc=com
`- ou=group
`- ou=universityHR
|- ou=jobFamily
| |- uid=789
| `- uid=987
`- ou=regTemp
|- cn=T
`- cn=A
The last idea I could think of would be to make this filtering in an API and request your API with this kind of filters and let the API make the needed requests and aggregate the results.
If you could post a LDIF of your custom nested attributes/subentries to see what could be possible.
Upvotes: 1
Related Questions
- ldap filter to search for multiple values for an attribute
- How to do ldapsearch with multiple filters?
- Nested LDAP search for an attribute
- LDAP search with custom attributes filter
- Ldap search for objects where attribute X contains multiple values
- Nested Group LDAP Search Filter
- LDAP search on multiple fields like an if/else-statement
- LDAP Search on multiple fields
- How to combine search Filters in python LDAP?
- Sub filters in LDAP query