Regarding LDAP Search Query - ldap

Let's suppose that I want to search a number say 123 and LDAP has entries like 123# or 1-2-3. What should be the LDAP Search filter which needs to be provided? I tried *123* but it doesn't work in case of 1-2-3.

LDAP does not have "entries like 123#", it has entries identified by distinguished names that contain attributes. To search for an an entry that contains a value, you must provide the following parameters to a search request:
base object (distinguished name where the search should commence)
scope - base, one level subordinate to the base, or subtree (all entries subordinate to the base object
filter - an assertion that must evaluate to true in order for the entry to be returned to the client
attributes to return - a list of attributes that the LDAP client desires
If the attribute in question is named number and has a syntax of Integer and a matching rule of IntegerMatch, then the filter (number=123) will find an attribute named number with the integer value of 123. Which filter to use depends on the syntax and matching rule in the attribute type definition because the directory server performs the task of matching attribute values against provided filters with matching rules (as must applications, by the way). Programmers must not consider LDAP attribute values to be "strings", instead they must understand attribute syntaxes and matching rules. There is a DirectoryString syntax (with a very specific definition, though for many purposes it can be considered a garden-variety string) but not all attributes are defined with DirectoryString syntax. Nor do all attributes use the same matching rules and ordering rules.
see also
LDAP: ldapsearch
LDAP: Mastering search filters
LDAP: Programming Practices

Related

Retrieving a JNDI dn with its proper case

I want to retrieve a user DN as stored in the LDAP server, keeping the original characters case. For example, let's assume the DN in my server is "cn=Bob, o=MyOrg". I want to query the server using "cn=bob, o=myorg" and retrieve the original "cn=Bob, o=MyOrg", as a result.
The DirContext.getAttributes(dn) method can return a set of attributes but this does not include the DN itself. On the other hand, DirContext.search() returns a SearchResult that has this information using getNameInNamespace(). Unfortunately, search expressions do not seem to allow search on DN, which is what I have.
I understand that I might achieve this by first retrieving a unique attribute using getAttributes(), and then use this attribute value in search(). But this leads to 2 connections. Plus I need to make sure that I have a unique, not null, attribute I can search() on.
Let me reply to my question with the solution I found.
It involves the search() function, where the name parameter (search context) should be the DN, and the query filter is empty or like (objectClass=*). It then returns one row, corresponding to the DN being searched. The original DN is then available in the SearchResult.
Just do a lookup of the DN. The resulting DirContext should have its getNameInNamespace() in the correct case.
A search will also work but it's less efficient and more code.

Can I configure always to take second `cn` value from multi-valued LDAP attribute?

LDAP can contain multi-valued attributes. For example, cn can be multi-valued attribute. See below LDAP RFC.
My application can process (show) only one cn value.
Will all entries in LDAP have same number of cn attributes?
Can I configure always to take second cn value?
What is a best practice to process multi-valued attributes in LDAP?
https://www.rfc-editor.org/rfc/rfc4519#section-2.3
The 'cn' ('commonName' in X.500) attribute type contains names of an
object. Each name is one value of this multi-valued attribute. If
the object corresponds to a person, it is typically the person's full
name.
Will all entries in LDAP have same number of cn attributes?
No. Well, unless they are specifically added.
BTW: Some LDAP Server Implementations do NOT support multiple Values for cn. Microsoft Active Directory is one of them
Can I configure always to take second cn value?
No. The return order of attributes is not defined within the RFC specifications and therefore is unknown. Some Specific LDAP Server implementations do return multi-valued attributes in a specific order. (Like FIFO or LIFO.
What is a best practice to process multi-valued attributes in LDAP?
Can't say I have ever heard of a best practice. Guess it depends on the task you are trying to perform.

How to retrieve the ou of the group a user belongs to in LDAP

I have a series of users and groups. Users' DNs can be added to the group's uniquemember attribute. How can I query LDAP such that I send a user dn and it returns to me the OU of the group that user belongs to?
I am doing this based on the LDAP at ldap.forumsys.com.
See the screenshot below:
Thanks.
What you want is a pretty common equality match filter, for example:
(uniquemember=uid=einstein,dc=example,dc=com)
Note, that the value is not quoted. You only need to escape / replace special characters (e.g. parenthesis). More information about LDAP filter syntax can be found in RFC 4515.
Also keep in mind that LDAP filters are very simple and provide only simple value matching (this can be confusing to people used to SQL and complex queries with joins, subselects, functions, etc.).

LDAP query to enumerate of all users of the subgroups of a group

This LDAP query successfully enumerates all users within a group:
memberOf=CN=MySubGroup1,OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
The group MyGroup1 has two subgroups: MySubGroup1, MySubGroup2.
In order to get all the users of MyGroup1, I could make a query to get the users of MySubGroup1, another query to get the users of MySubGroup1, and then make the union.
However, I am asking how I can achieve the same results with only one LDAP query,
asking for all the users within MyGroup1 and sub-groups.
Any idea?
There is no such thing as a subgroup, just groups. The correct term is subordinate,
i.e., cn=mysubgroup1 is subordinate to ou=mygroup1, and so forth.
Use the following parameters in an LDAP search request:
base object: OU=MyGroup1,OU=Global Groups,DC=mycompany,DC=com
search scope: sub if there is more than one 'level' beneath ou=mygroup1, one otherwise
filter: (|(cn=mysubgroup1)(cn=mysubgroup2))
requested attribute: whichever multi-valued attribute whose value is the distinguished name
of each member of the group
These search request parameters should result in a search result with two entries, the distinguished
of each entry, and the attributes whose values are the distinguished names of the members of each group.
see also
LDAP: Seach best practices
LDAP: Programming practices
If your server is Microsoft Active Directory then you can use some extended rules. One of those rules does basically what you are looking for. Look at this answer.
Try this:
memberof:1.2.840.113556.1.4.1941:=CN=Some Group,OU=My Organization Unit,DC=company,DC=com
Quoting from that answer:
[...] it is possible, when using Microsoft AD LDAP, to do authorization using nested groups by using LDAP_MATCHING_RULE_IN_CHAIN matching rule. This is much faster than searching subgroups on the client, because it is done on the DC server with less queries over network.
1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN This rule is limited to filters that apply to the DN. This is a special "extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

Is there a way to search by length in a LDAP query?

In the search window, for the sAMAccountName column, is there a way to filter by exactly 7 characters or is there a function in the search window that allows me to do that?
My coworker and I did try to do a search online but couldn't find anything.
The LDAP search operation requires at least a base object from which to start the search, the scope (or depth) of the search, and a filter which indicates by its truth, falsehood, or undefinedness whether an entry should be returned in the search result. Filters are defined in RFC4511. There is no way to specify the length of an attribute value in a filter. In order to return an attribute value that matches a length, you must store an attribute whose value is the length of the attribute value you desire. For example, if the attribute is cn, an attribute value cn-length could be stored whose value is length of the cn attribute. Modern, professional-quality directory servers will provide virtual attributes which are not stored in the directory database but generated dynamically. Such a virtual attribute hold be created to generate the length.
See Scott Lowe's blog post on using Log Parser to query AD for an example of how you could do this. You could also extract results from an AD query and then feed them into Excel or another tool that has more functions than built into LDAP.