Using DN in Search Filter - ldap

In my LDAP Client program sometimes I have to include the DN value within the search filter. But this DN is changing frequently and every I have to change this filter in my code.
When I googled it for that I got something like this
Suppose you want to pull all users of ObjectType = Person from the R&D and HR ous, but not any users from Marketing and PM. The filter would be:
(&(objectClass=person)(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))
Can anybody explain this more in detail?

You should check RFC 2254 (The String Representation of LDAP Search Filters).
LDAP filters use polish notation for the boolean operators. So the operator is written before its operands:
(&(condition1)(condition2)(condition3)...)
The example above means that you want all LDAP entries which satisfy condition1 AND condition2 AND condition3 and so on.
Then there are condition themselves. They are very simple and can consist only of few types:
present condition - (attrName=*)
simple condition - (attrName>=value) / (attrName<=value) / (attrNamevalue=value) / (attrName~=value)
substring condition - (attrName=*value*) / (attrName=*value) / (attrName=value*)
extensible condition - (attrName:dn:=value) / (attrName:matchingRule:=value)
The extensible condition with the :dn: keyword means, that you want attributes from the entry DN to be considered as well. So for your case entry cn=John Doe,ou=HumanResources,ou=Users,dc=example,dc=com would match the filter (ou:dn:=HumanResource).
Translating your example filter to an English sentence would be:
Find me all LDAP entries which have objectClass equal to person and have either ResearchAndDevelopment or HumanResources in their ou attribute or somewhere on their DN.

You can use dn into base and set search scope as base.
That is, set dn value into base, and set search scope as base(search scope is one of base, sub and one).

If you really need to search by the whole DN, you can search with:
(distinguishedName=CN=MyCommonName,OU=SomeEnv,...,DC=SomeDir)

Related

LDAP Filter Syntax Query

What would be the syntax for LDAP for the below scenario:
Where sAMAccountName = GRA-* without $. I want the records which are highlighted in green.
This is my current LADP Filter for your reference:
(&(objectClass=user)sAMAccountName=GRA-*))
Anyone, Please help with the correct syntax.
Your filter can work, but you're missing a ( in front of sAMAccountName:
(&(objectClass=user)(sAMAccountName=GRA-*))
But you may be able to do better. If those ones that end in $ are computer objects (which always have sAMAccountNames that end in $, but also have an objectClass of user), then you can make sure you only get user objects by including (objectCategory=person):
(&(objectClass=user)(objectCategory=person)(sAMAccountName=GRA-*))
If, for whatever reason, those $ objects are actually user accounts, then you can exclude them with (!sAMAccountName=*$):
(&(objectClass=user)(objectCategory=person)(sAMAccountName=GRA-*)(!sAMAccountName=*$))

user wants to apply a quite complex "User Search Filter" in his LDAP Configuration

user have to apply a quite complex "User Search Filter" in his LDAP Configuration.
The filter is too big and exceed the 256 allowed character. For customer business policy is not possible to modify the LDAP structure or data How can we proceed?
Here there is a sample of the filter:
(&
(|
(memberOf=CN=Applicazione_DocB_AmmApplicativo,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_AmmPiattaforma,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_ArchFIRead,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_ArchFIWrite,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_AreaFinanza,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_Arm,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_BoGestCanc,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_BoUpdDocum,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_Crif,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_VisualBase,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_VisualEsteso,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
)(|
(userAccountControl=512)
(userAccountControl=544)
(userAccountControl=66048)
)
)
Have the customer create one single group to control access to the application, then they can add all of those groups to that one group. Then you only need to look at that one group. However, you will need to use the LDAP_MATCHING_RULE_IN_CHAIN operator so that it will look at the members of nested groups.
If the name of that new group is Applicazione_DocB, that would look something like this:
(memberOf:1.2.840.113556.1.4.1941:=CN=Applicazione_DocB,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
Your conditions on userAccountControl can also be simplified. That attribute is a bit flag, which means that each bit in the binary value is a flag that means something. Those values are listed in the documentation for userAccountControl. The three conditions you are using are:
512: ADS_UF_NORMAL_ACCOUNT
544: ADS_UF_NORMAL_ACCOUNT | ADS_UF_PASSWD_NOTREQD (password not required)
66048: ADS_UF_NORMAL_ACCOUNT | ADS_UF_DONT_EXPIRE_PASSWD (password does not expire)
If the intent is to exclude disabled accounts (514: ADS_UF_NORMAL_ACCOUNT | ADS_UF_ACCOUNTDISABLE), then you can do that by using the LDAP_MATCHING_RULE_BIT_AND operator to check if the second bit is not set (which indicates a disabled account), like this:
(!userAccountControl:1.2.840.113556.1.4.803:=2)
Putting that all together, you get a query that is less than 256 characters:
(&(memberOf:1.2.840.113556.1.4.1941:=CN=Applicazione_DocB,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)(!userAccountControl:1.2.840.113556.1.4.803:=2))

Axiomatics - condition editor

I have a subject like "accessTo" = ["123", "123-edit"]
and a resource like "interestedId" = "123"
Now I'm trying to write a condition - where it checks "interestedId" concatenated with "-edit" equals "123-edit" in "AccessTo".
Im trying to write rule like this
anyOfAny_xacml1(function[stringEqual], "accessTo", "interestedId"+"-edit")
It is not allowing to do this.
Any help is appreciated.
In addition to the answer from Keerthi S ...
If you know there should only be one value of interestedId then you can do this to prevent the indeterminate from happening:
stringBagSize(interestedId) == 1 && anyOfAny(function[stringEqual], accessTo, stringOneAndOnly(interestedId) + "-edit")
If more than value is present then evaluation stops prior to reaching the function that expects only one value. This condition would return false if more than one value is present.
On the other hand if interestedId can have multiple values then this would work:
anyOfAny(function[stringEqual], accessTo, map(function[stringConcatenate],interestedId, "-edit"))
The map function will apply the stringConcatenate function to all values in the bag.
Since Axiomatics products are compliant with XACML specification, all attributes by default are assumed to contain multiple values(called as 'bags').
So if you would like to append a string to an attribute use stringOneAndOnly XACML function for the attribute to indicate that the attribute can have only one value.
So assuming you mean accessTo has attribute ID as Attributes.access_subject.subject_id, interestedId has the attribute ID as Attributes.resource.resource_id and anyOfAny_xacml1 is equivalent to anyOfAny XACML function, the resulting condition would look like,
anyOfAny(function[stringEqual], Attributes.access_subject.subject_id, stringOneAndOnly(Attributes.resource.resource_id) + "-edit")

ldap search with special character('+') returns null

I want to search a particular ldap-node within groups by unique-member attribute.
Something like.
search_filter = 'uniqueMember=mail='testuser.+abc#abc.com',ou=people,dc=myorg,dc=com'
When I search this filer with
conn.search_s(node_dn, ldap.SCOPE_BASE, search_filter, [])
It returns {'info': '', 'desc': 'Bad search filter'}.
Whereas a similar search for search_filter without '+'
search_filter = 'uniqueMember=mail='testuser.abc#abc.com',ou=people,dc=myorg,dc=com'
returns desired output.
I've tried escaping all possible ways. like
a. uniqueMember=mail='testuser.\+abc#abc.com',ou=people,dc=myorg,dc=com
b. uniqueMember=mail='testuser.\\+abc#abc.com',ou=people,dc=myorg,dc=com
c. uniqueMember=mail='testuser.\2Babc#abc.com',ou=people,dc=myorg,dc=com
d. uniqueMember=mail='testuser.\\2Babc#abc.com',ou=people,dc=myorg,dc=com
I tried '\2B' as this is how I could see uniqueMember attribute in apache-directory studio.
I'm using python-ldap 2.2.0 with port389.
Is there anything I'm missing while configuring port389. Please help.
The plus sign + indicates that the RDN is multi-valued.
see also
LDAP: Search Best Practices

LDAP query on a OU with * in the title. How?

I'm having difficults I believe with a * character being in my OU when I'm doing a search. The OU group is called WorldWide Offices.
I have a looping query that returns all the users who are in a given group. So I type in a group name, and this brings me back a group. Then I loop through the group.members.
These members will either be a user or another group. So if it's not a user I would then loop through again to check if it's a group. The members of the group are always the DistinguishedName, and that's all I have to search on.
I'm having a current user with the DistinguishedName as
CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=Worldwide Offices,DC=OurDomain,DC=LOCAL.
I'm doing a DirectorySearcher and my filter is
Searcher.Filter = "(&(&(objectClass=user)(!(objectClass=computers)))(distinguishedName=CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=*Worldwide Offices*,DC=OurDomain,DC=LOCAL))
As you can see, I think the fact that our OU has * in it's title is the reason why it doesn't find the user. Any other OU that doesn't have a * in it seems to work. Which is why I believe the * is the problem.
Does anyone have any idea how to get around the * problem, apart from renaming the OU?
Searcher.Filter = "(&(&(objectClass=user)(!(objectClass=computers)))(distinguishedName=CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=\2aWorldwide Offices\2a,DC=OurDomain,DC=LOCAL))
A * must be escaped with a \2a - please see MSDN "Search Filter Syntax":
If any of the following special
characters must appear in the search
filter as literals, they must be
replaced by the listed escape
sequence.
* => \2a
( => \28
) => \29
\ => \5c
NUL => \00
/ => \2f
Simply escaping it with a \ should work too:
Searcher.Filter = "(&(&(objectClass=user)(!(objectClass=computers)))(distinguishedName=CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=\*Worldwide Offices\*,DC=OurDomain,DC=LOCAL))
The wild card only work if the attribute type is some string type. (octet string, unicode string). if you use * agains the attribute like givenName, displayName then the wild cards will be honored. But the distinguished name is of type "Distinguished Name", hence the substring match wont be turned on by the server.
if you use * against objectcategory, dn, distinguishedname... you can see the wildcard not working.
Your logic need to be changed.