Menu
I have searched on this topic, but all I find are filters that return entries where a certain attribute is not present, like:
(!(manager=*))
However, I want to find entries where the attribute is present, but has a null value (i.e. an empty/blank string). Can I do this using an LDAP filter, and if so, how?
EDIT:
Just to confirm, the above filter finds entries without the attribute, but not where the attribute is empty (null string).
Is this dependent on the LDAP implementation or what?
442
You can specify search filters on the ldapsearch command line, or you can specify them in a file and use the ldapsearch parameter -f to refer to the file. If you use a file, specify each search filter on a separate line.
LDAP filter used to search for users according a search criteria. Searches for users can be done using the user-search command or in the web administration console. $ SEARCH_STRING is the place holder for the search criteria. User ID Attributes. ldap.userid.attributes.
The easiest way to search LDAP is to use ldapsearch with the “-x” option for simple authentication and specify the search base with “-b”. If you are not running the search directly on the LDAP server, you will have to specify the host with the “-H” option.
Subtree. A subtree search (or a deep search) includes all child objects as well as the base object. You can request the LDAP provider to chase referrals to other LDAP directory services, including other directory domains or forests.
From LDAP, there is not a query method to determine an empty string.
The best practice would be to scrub your data inputs to LDAP as an empty or null value in LDAP is no value at all.
To determine this you would need to query for all with a value (manager=*) and then use code to determine the ones that were a "space" or null value.
And as Terry said, storing an empty or null value in an attribute of DN syntax is wrong.
Some LDAP server implementations will not permit entering a DN where the DN entry does not exist.
Perhaps, you could, if your DN's are consistent, use something like:
(&(!(manager=cn*))(manager=*))
This should return any value of manager where there was a value for manager and it did not start with "cn".
However, some LDAP implementations will not allow sub-string searches on DN syntax attributes.
-jim
97
Search for a null value by using \00
For example:
ldapsearch -D cn=admin -w pass -s sub -b ou=users,dc=acme 'manager=\00' uid manager
Make sure if you use the null value on the command line to use quotes around it to prevent the OS shell from sending a null character to LDAP. For example, this won't work:
ldapsearch -D cn=admin -w pass -s sub -b ou=users,dc=acme manager=\00 uid manager
There are various sites that reference this, along with other special characters. Example:
39
This article http://technet.microsoft.com/en-us/library/ee198810.aspx led me to the solution. The only change is the placement of the exclamation mark.
(!manager=*)
It seems to be working just as wanted.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
