I have several entries in my LDAP directory with different object class specified
dn: uid=user1,ou=users,dc=exampleCompany,dc=com
uid: user1
objectClass: user
objectClass: developer
cn: User1 User
dn: uid=user2,ou=users,dc=exampleCompany,dc=com
uid: user2
objectClass: user
objectClass: administrator
cn: User2 User
dn: uid=user3,ou=users,dc=exampleCompany,dc=com
uid: user3
objectClass: user
objectClass: developer
objectClass: administrator
cn: User3 User
dn: uid=user4,ou=users,dc=exampleCompany,dc=com
uid: user4
objectClass: anotherClass
cn: User4 User
I want to query all that don't have objectClass: developer, regardless of other object classes they have.
I tried
ldapsearch -x -b ou=users,dc=exampleCompany,dc=com "(&(objectClass=*)(!(objectClass=developer)))"
but I got
dn: ou=users,dc=exampleCompany,dc=com
objectClass: organizationalUnit
ou: users
# search result
search: 2
result: 0 Success
What would be the correct query?
As you have but without the & and the (objectClass=*) part.
You also need to specify a subtree search.
Related
I have done LDAP setup on ubuntu, using apt install slapd ldap-utils
after doing all setup/configuration, added one test user also and here I get:
$ ldapsearch -x -b "dc=param,dc=co,dc=in"
# extended LDIF
#
# LDAPv3
# base <dc=param,dc=co,dc=in> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# param.co.in
dn: dc=param,dc=co,dc=in
objectClass: top
objectClass: dcObject
objectClass: organization
o: param
dc: param
# admin, param.co.in
dn: cn=admin,dc=param,dc=co,dc=in
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# testuser, param.co.in
dn: uid=testuser,dc=param,dc=co,dc=in
cn: test
sn: test
mail: testuser#param.co.in
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Now I wanted to add OU with following ou.ldif file:
cn: ou=people,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: people
cn: ou=groups,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: groups
But it is giving no results i.e. no success neither error after adding this file using command:
$ ldapadd -x -W -D "cn=admin,dc=param,dc=co,dc=in" -f ou.ldif
Enter LDAP Password:
$
What wrong thing exactly am i doing here?
change 'cn' to 'dn' for distinguished name. 'cn' is common name which would just be 'people' or 'groups' (except OUs don't need a CN). so it would be:
dn: ou=people,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: groups
Apacheds apacheds-2.0.0.AM26.exe. Importing ldif file with Apache Directory Studio 2.0.0.v20210213-M16
When "objectClass: top" is included in my ldif file I get an invalidAttributeSyntax error. Full error below.
I have deduced that it is the top attribute because all the other attributes show up normally in the log. The top one shows up as objectClass:: dG9wIA==.
If I remove top it works. If I put top back and import again with the update option it works.
Error:
#!RESULT ERROR
#!CONNECTION ldap://myhost:10389
#!DATE 2021-05-27T11:13:27.212
#!ERROR [LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST Message ID : 17 Add Request : Entry dn: uid=jsmith,ou=Users, dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: jsmith givenName: Jerry sn: Smith cn: Jerry Smith userPassword: 0x52 0x61 0x74 0x31 0x6F 0x6E 0x61 0x6C : ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax dn: uid=jsmith,ou=Users, dc=example,dc=com changetype: add uid: jsmith givenName: Jerry sn: Smith cn: Jerry Smith objectClass:: dG9wIA== objectClass: person objectClass: organizationalPerson objectClass: inetorgperson userPassword:: UmF0MW9uYWw=
Ldif data:
User:
dn: uid=jsmith,ou=Users,dc=example,dc=com
givenName: Jerry
sn: Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
uid: jsmith
cn: Jerry Smith
userPassword: MyPasswordInClearText
Ldif to create the Group and Users objects which I have tested both as part of the larger ldif file and as two separate imports. This part first then the users second.
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Groups
dn: ou=Users,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Users
On current setup I have OpenLDAP server on which I had manually added eduPerson schema and from it I can retrieve without any problem attributes like eduPersonPrincipalName, eduPersonPrimaryAffiliation etc.
Now I want to test with 389 Directory Server which from what I have understood it has pre-added eduPerson schema. The problem is that even after I create a user with eduPerson attributes like eduPersonPrincipalName etc, I can not retrieve any attribute value of eduPerson schema. I need it because of SimpleSAMLphp SSO we use. Below is an search example of a user with multiple eduPerson attributes and none of them gets shown:
ldapsearch -x -b "cn=John Doe,ou=people,dc=domain,dc=com" -H ldap://127.0.0.1:389
# extended LDIF
#
# LDAPv3
# base <cn=John Doe,ou=people,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# John Doe, people, domain.com
dn: cn=John Doe,ou=people,dc=domain,dc=com
objectClass: eduPerson
objectClass: inetOrgPerson
objectClass: organizationcomPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: John Doe
gidNumber: 10000
homeDirectory: /home/user#domain.com
uid: user#domain.com
uidNumber: 10055
description: Authenticated at 2020-04-28 12:27:08.657033
loginShell: /bin/bash
mail: user#domain.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Thank you,
EDIT:
Another example which might help more. Below is a ldif file of a user:
version: 1
dn: cn=John Doe,ou=people,dc=domain,dc=com
objectClass: eduPerson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: John Doe
gidNumber: 10000
homeDirectory: /home/jdoe#domain.com
sn: Doe
uid: jdoe#domain.com
uidNumber: 10057
carLicense: AA123BB
departmentNumber: IT
eduPersonPrimaryAffiliation: employee
eduPersonPrincipalName: jdoe#domain.com
eduPersonScopedAffiliation: employee#domain.com
employeeNumber: 1234567890
givenName: John
initials: JD
loginShell: /bin/bash
mail: jdoe#domain.com
title: Software Developer
userPassword:: e0NSWVBUfSQ2JG1LcDlHUmRUcENBRVZ1ZkUkc0djRkNsalcyWEVoby9FRlNGS
jhLRXRYR1dmTGFUNXNYUk9BbHFRSHhoWXN4TWlZWEl6SEFCa0U1UzN3cm5uSktMSVAyTlg1d0V5
YXN1U1laNXJocDA=
When I try to search for this user I get only the attributes below:
ldapsearch -x -b "cn=John Doe,ou=people,dc=rash,dc=al" -H ldap://127.0.0.1:389
# extended LDIF
#
# LDAPv3
# base <cn=John Doe,ou=people,dc=rash,dc=al> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# John Doe, people, rash.al
dn: cn=John Doe,ou=people,dc=rash,dc=al
objectClass: eduPerson
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
loginShell: /bin/bash
homeDirectory: /home/jdoe#domain.com
uid: jdoe#domain.com
cn: John Doe
uidNumber: 10057
gidNumber: 10000
mail: jdoe#domain.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm running OpenLDAP 2.4.42, and this is my configuration file:
include C:/OpenLDAP/schema/core.schema
include C:/OpenLDAP/schema/cosine.schema
include C:/OpenLDAP/schema/inetorgperson.schema
pidfile C:/data/slapd/pidfile.pid
database config
database monitor
access to dn.subtree="cn=Monitor" by dn.exact="uid=Admin,dc=my,dc=org" write
access to * by * write
database bdb
include C:/data/pwm/openldap.schema
directory C:/data/slapd/db/bdb
suffix dc=example,dc=it
rootdn cn=root,dc=example,dc=it
rootpw secret
access to * by * manage
index default pres,eq
index cn eq,sub
index sn pres,eq,sub
index objectClass eq
With this slapcat (cut) output:
dn: cn=paul,dc=example,dc=it
objectClass: organizationalRole
cn: paul
dn: l=somewhere,dc=example,dc=it
objectClass: top
objectClass: locality
l: somewhere
dn: cn=john,l=somewhere,dc=example,dc=it
objectClass: organizationalRole
cn: john
structuralObjectClass: organizationalRole
dn: ou=users,dc=example,dc=it
objectClass: organizationalUnit
ou: users
structuralObjectClass: organizationalUnit
dn: cn=charles,ou=users,dc=example,dc=it
objectClass: person
objectClass: pwmUser
cn: charles
sn: charles
userPassword:: bWFyY28y
structuralObjectClass: person
Why does this return results (actually the "charles" entry):
ldapsearch -W -D cn=root,dc=example,dc=it -b "ou=users,dc=example,dc=it"
while this gives "no such object"?
ldapsearch -W -D cn=root,dc=example,dc=it -b "dc=example,dc=it"
I would think that the latter is the most general version of a search, where I'm asking for everything under that suffix.
I am trying to modify uid value in Tivoli directory server using API. Please review the below user structure.
dn: uid=user1,cn=demo,o=evault
uid: user1
userPassword: {AES256}mIJFA1UiEMYP6J2dVt3vcg==
objectclass: top
objectclass: demoObjectClass
objectclass: ePerson
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
sn: user1
cn: user1
ibm-entryuuid: 134f18c0-b251-1034-8575-a2f4cc94f892
Here i am trying yo change the uid. Is it possible?? Please guide me on this
You must perform a rename on the entry as uid is the "naming attribute".