Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » LDAP Extensible matching filter
LDAP Extensible matching filter [message #161361] Wed, 23 September 2009 15:15 Go to next message
nmaier  is currently offline nmaier  United States
Messages: 1
Registered: September 2009
Junior Member
Hi,
I have a customer who's AD has a custom schema. They have their users
divided into different OUs based on geographical location. All the OUs
are siblings and under the parent DC=Company,DC=Com. I'm needing to
create a filter that searches only those OUs I care about. And I think
I'm close, this is what I have so far...

(&(ou:dn:=Region1)(objectClass=user))

I'd like to be nearly 100% sure it's the correct filter before I have them
try it. So I've been trying a similar filter on our out-of-the-box AD
setup...

(&(cn:dn:=Users)(objectClass=user))

I'd expect to see all the users in the CN=Users container, but I receive
no entries. I tried this filter as well...

(ou:dn:=Users)

And expected all objects in the CN=Users container, but only received the
below results using ldp.exe:

***Searching...
ldap_search_s(ld, "DC=company,DC=com", 2, "(cn:dn:=Users)", attrList, 0,
&msg)
Result <0>: (null)
Matched DNs:
Getting 2 entries:
>> Dn: CN=Users,DC=company,DC=com
1> distinguishedName: CN=Users,DC=company,DC=com;
>> Dn: CN=Users,CN=Builtin,DC=company,DC=com
1> distinguishedName: CN=Users,CN=Builtin,DC=company,DC=com;

From my understanding the :dn flag should match all of the Dn's
components, but it only seems to be matching the first.

Thanks for any help,
Nate
Re: LDAP Extensible matching filter [message #161365 is a reply to message #161361] Wed, 23 September 2009 15:28 Go to previous message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
You can't scope a search to be part of a subtree. You either search the
whole subtree or not.

In terms of filtering, you cannot use a partial match (substring filter
type) on any DN-syntax object. DNs can only be used in filters are exact
matches or for testing presense with =*.

So you probably can't do what you are trying to do the way you are trying
it.

To make something like this work, the only option is to have some attribute
data on each object that you can match to. For example, if you had 3 of 6
branches in a tree that you wanted to find objects under, the objects under
each branch would need an attribute identifying them as part of that branch
(like Region=Region1).

Alternately, you can search each subtree separately and combine the results
on the client.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
<nmaier@nospam.nospam> wrote in message
news:op.u0qaobt0f53ff4@nmaier1.unimax.com...
> Hi,
> I have a customer who's AD has a custom schema. They have their users
> divided into different OUs based on geographical location. All the OUs
> are siblings and under the parent DC=Company,DC=Com. I'm needing to
> create a filter that searches only those OUs I care about. And I think
> I'm close, this is what I have so far...
>
> (&(ou:dn:=Region1)(objectClass=user))
>
> I'd like to be nearly 100% sure it's the correct filter before I have them
> try it. So I've been trying a similar filter on our out-of-the-box AD
> setup...
>
> (&(cn:dn:=Users)(objectClass=user))
>
> I'd expect to see all the users in the CN=Users container, but I receive
> no entries. I tried this filter as well...
>
> (ou:dn:=Users)
>
> And expected all objects in the CN=Users container, but only received the
> below results using ldp.exe:
>
> ***Searching...
> ldap_search_s(ld, "DC=company,DC=com", 2, "(cn:dn:=Users)", attrList, 0,
> &msg)
> Result <0>: (null)
> Matched DNs:
> Getting 2 entries:
>>> Dn: CN=Users,DC=company,DC=com
> 1> distinguishedName: CN=Users,DC=company,DC=com;
>>> Dn: CN=Users,CN=Builtin,DC=company,DC=com
> 1> distinguishedName: CN=Users,CN=Builtin,DC=company,DC=com;
>
> From my understanding the :dn flag should match all of the Dn's
> components, but it only seems to be matching the first.
>
> Thanks for any help,
> Nate
Previous Topic:How should I keep them updated?
Next Topic:Re: Domain Controller Multiple NIC DNS problem
Goto Forum:
  


Current Time: Tue Jan 23 16:40:35 MST 2018

Total time taken to generate the page: 0.07153 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software