ldap

Archived Posts from this Category

Thu 24 Dec 2009

LDAP Query to Find Groups for a Member

Posted by admin under ldap
No Comments 

Situation: You have a lot of groups as groupOfNames in you ldap directory. How to find all such groups a known member belongs to?

The goupOfNames object might look similiar to this:
dn: cn=TestGroup, o=TestOne, dc=rekk, dc=de
objectClass: dcObject
objectClass: groupOfNames
cn: cn=TestGroup
dc: dc=TestGroup
description: Some test group
member: uid=00001
member: uid=00011
member: uid=schwarz,dc=Test DC,dc=rekk,dc=de

The query would be for uid=schwarz:
(member=uid=schwarz,dc=Test DC,dc=rekk,dc=de)

or more specific:
(&(objectclass=groupofnames)(member=uid=schwarz,dc=Test DC,dc=rekk,dc=de)

Also see LDAP Query Adventures.

 

Sun 27 May 2007

LDAP Query Adventures

Posted by admin under ldap , programming , software
1 Comment 

Today I worked on a Jelly script to import users to Jira. Such a script you can create automatically using a scripting language of your choice, in my case I try Python. The primary source for the users and groups data would be an organically grown LDAP of a public organization.

I had to find out that there is more about LDAP (Version 3) queries or filters (described in RFC 4515 ) then just the straight forward examples like:
(objectclass=inetorgperson)
- finds all entries with objectClass equal to inteOrgPerson
(cn=*Inter*)
- finds all entries with “Inter” appearing somewhere within the cn (common name) attribute
(!(cn=*Inter*))
- finds all entries without “Inter” appearing somewhere within the cn (common name) attribute
(&(ou=universit*)(l=Berlin))
- finds all entries with ou starting with “universit” AND l equal to Berlin (trying to find universities located in Berlin)
(&(|(ou=universit*)(ou=hochschule*))(l=Berlin))
- now we added an OR ( | ) to the query to find entries with “universit” or “hochschule” in ou (organizational unit), cause “hochschule” means literally “high school” in german, i.e. “almost” a university

I find useful to know:
(&(objectClass=inetorgperson)(mail=*))
- finds inetOrgPersons with nonempty mail attribute
(&(objectClass=inetorgperson)(!(mail=*)))
- finds the same but with an empty mail attribute

More complex queries (extensible match search):
(ou:dn:=bibliotheken)
- matches part of a dn (or better: treat attributes used within dn’s string as if they would be regular attributes of the entry) in that case entries like that: dn=…,ou=bibliotheken,dc=mydomain,dc=de
(ou:dn:=bibliotheken*)
- does not work!

General matching rules can be used (see RFC 4517) within the extensible match search. Match rules are identified by OIDs or names. So:
(uid:2.5.13.5:=John)
is the same as
(uid:caseExactMatch:=John)
And
(uid=John)
the same as
(uid:caseIgnoreMatch:=john)
or
(uid:2.5.13.2:=john)

To escape characters which have a special meaning use
‘*’ – \2a, ‘(‘ – \28, ‘)’ – \29, ‘\’ – \5c, ‘NUL’- \00, ‘/’ – \2f .
(cn=*\2a*)
- finds entries with “cn” attribute containing a value with the character “*” anywhere in it.