LDAP: An example of using an extensible match filter to select portions of a distinguished name


LDAP-compliant servers support an extensible-match filter which provides the necessary
filtering. From RFC4511:

If the dnAttributes field is set to TRUE, the match is additionally
applied against all the AttributeValueAssertions in an entry's
distinguished name, and it evaluates to TRUE if there is at least
one attribute or subtype in the distinguished name for which the
filter item evaluates to TRUE.  The dnAttributes field is present
to alleviate the need for multiple versions of generic matching
rules (such as word matching), where one applies to entries and
another applies to entries and DN attributes as well.

For example, I added the following entries to a server:

dn: ou=legacy groups,o=training
objectClass: top
objectClass: organizationalUnit
ou: legacy groups

dn: ou=common groups,o=training
objectClass: top
objectClass: organizationalUnit
ou: common groups

dn: ou=groups,o=training
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: cn=a,ou=common groups,o=training
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=user.0,ou=people,o=training
cn: a

dn: cn=b,ou=groups,o=training
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=user.0,ou=people,o=training
cn: b

dn: cn=c,ou=legacy groups,o=training
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=user.0,ou=people,o=training
cn: c

Examine the filter in the following search after the above entries were added:

ldapsearch --propertiesFilePath ldap-connection.properties \
    --baseDN o=training \
    --searchScope sub '(|(ou:dn:=groups)(ou:dn:=common groups))' 1.1

dn: ou=common groups,o=training

dn: cn=a,ou=common groups,o=training

dn: ou=groups,o=training

dn: cn=b,ou=groups,o=training

Note that ou=common groups, ou=groups, and their subordinates are returned, but not
ou=legacy groups and subordinates.

This example uses the modern syntax of the ldapsearch command line tool. If the user is
utilizing the legacy OpenLDAP version of ldapsearch, the parameters to the command line tool are
somewhat different, but that does not matter. What matters is the filter.

see also

contents of the ldap-connection.properties file

The ldapsearch tool supports the use of the --propertiesFilePath command line option. The file to which the argument refers contains properties, that is, key-value pairs where the key is the long option. An example of this file:

hostname=ldap.example.com
port=10636
useSSL=true
trustAll=true

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in LDAP, UnboundID and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s