CODEWITHSUNDEEP
ldapldap-query
formicaman
formicaman

Reputation: 1357

ldapsearch - filtering ou in dn

I understand you can't simply filter on dn, but I have something like this:

dc=lvl3,dc=lvl2,dc=lvl1, and someone could have a dn like this: CN=Last, First,OU=ou1,OU=retired,OU=ou1,DC=lvl3,DC=lvl2,DC=lvl1.

Is there a way I can filter results for those who do not have 'retired' in any ou?

Upvotes: 2

Views: 1976

Answers (2)

grawity_u1686
grawity_u1686

Reputation: 16247

Maybe, but it depends on the server's LDAP implementation.

There is a filter syntax which allows matching against DN attributes (in addition to entry attributes):

(ou:dn:=Retired)

(Within the LDAP specification this is known as the 'dnAttributes' field, part of the 'extensibleMatch' filter type. See RFC 4511 section 4.5.1.7.7)

Not all directory servers support this. For example, OpenLDAP handles it correctly, but Active Directory (MS AD and Samba) will ignore it, behaving as if you used (ou=Retired) instead.

If your server supports this, then a negative match is simply done by wrapping the filter in (!(...)) as you would normally do.

However, in other cases you should either a) use a custom attribute, or b) perhaps check for membership in a global "Active employees" group or something similar.

Upvotes: 2

jwilleke
jwilleke

Reputation: 10986

No. Not as an LDAP filter.

You could of course do a search and then sort on the CLient-side.

Generally organization of "characteristics" of users should be done using Attributes and not by the Directory Structure.

Something like:

  • employeeType=Active
  • employeeType=Retired
  • employeeType=etc

To avoid these conditions.

Upvotes: 3

Related Questions