get all entries that do not have a specific child entry

Question

I have this ldap scheme.

dc=company, dc=com
    - ou=users
        - uid=aaaa  
            - ou=car 
                - brand=audi  
                - brand=chevrolet  
        - uid=bbbb  
            - ou=car
                - brand=ford  
                - brand=audi  
                - brand=chevrolet 
        - uid=cccc  
            - ou=car
                - brand=ford   
                - brand=chevrolet 
        - uid=dddd  
            - ou=car
                - brand=ford  
                - brand=audi  

I need to get only users who don’t have ford car. It is possible to do it in one request ?

Thank you

Answer 1

It's kind of possible if you only need the DNs (and if your exclusion criteria also happens to be based on DNs), but not if you need non-DN attributes.

If all necessary data (both for the the child entry you want to exclude, and the user you want to find) is stored in DNs:

1. Do a global search for the child entries, e.g. (&(objectClass=car)(brand=*)) (requesting no attributes).
2. Use your LDAP client's functions to parse/unparse or split/join DNs, to map each result's DN into its parent(parent) entry DN, which is the user's DN.
3. Gather all user DNs into a set.
4. Loop over the earlier (childDN, userDN) results, every time the childDN is a "brand=ford" remove the userDN from the set.

If child entries have to be matched by a non-DN attribute, then an additional search to find (brand=ford) entries is needed (and then step 4 is "if childDN is in the badCars set, remove the respective userDN from the goodUsers set").

If you need to retrieve non-DN attributes, then at least one additional search to load users' attributes is needed. With Active Directory you can construct a filter like (|(distinguishedName=DN1)(distinguishedName=DN2)(...)) that lets you retrieve several users by their DN at once.