Maybe someone can point out that I'm being a complete idiot.
I've got a custom LDAP schema ( see below ) that defines 2 attributes, namely "clientAccountEnabled" and "clientDownloadsAvailable". Their sytax is defined by the LDAP schema for Boolean and Int values. I'm also making use of a "dead-space" OID of 1.1.x until the enterprise allocation goes through. The objectClass of "clientAccount" enforces that both fields must exist in any object of this type.
I've got a few objects which have the objectType of clientAccount ( example below ).
The problem I'm running into is that any filtering I do with these fields doesn't work. Only testing that the fields exists seems to work.
1. '(&(uid=robert)(objectClass=clientAccount))' - works 2. '(&(uid=robert)(objectClass=clientAccount)(clientAccountEnabled=*))' - works ( tests if the field exists ) 3. '(&(uid=robert)(objectClass=clientAccount)(clientAccountEnabled=TRUE))' - Fails 4. '(&(uid=robert)(objectClass=clientAccount)(!(clientAccountEnabled=TRUE)))' - Fails
Obviously 3 and 4 should be mutually exclusive, but nothing shows up. I've checked that the field types ( 1.3.6.1.4.1.1466.115.121.1.7 and 1.3.6.1.4.1.1446.115.121.1.27 ) are valid, as setting them to another type fails with syntax errors.
Any thoughts or suggestions would be much appreciated.. I've been banging my head against the wall for a couple hours now.
Rob
Schema:
n: cn={4}client,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}client olcAttributeTypes: {0}( 1.1.1.1 NAME 'clientAccountEnabled' SYNTAX 1.3.6.1.4.1 .1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {1}( 1.1.1.2 NAME 'clientDownloadsAvailable' SYNTAX 1.3.6.1 .4.1.1466.115.121.1.27 SINGLE-VALUE ) olcObjectClasses: {0}(1.1.2.1 NAME 'clientAccount' DESC 'A Client Account' SUP top AUXILIARY MUST ( uid $ clientAccountEnabled $ clientDownloadsAvailable ) )
LDAP Object with objectClass=clientAccount:
# robert, people, younessleeptechnologies.com dn: uid=robert,ou=people,dc=younessleeptechnologies,dc=com uid: robert uidNumber: 20000 gidNumber: 20000 cn: robert sn: robert objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: clientAccount loginShell: /bin/sh homeDirectory: /home/robert clientDownloadsAvailable: 10 clientAccountEnabled: TRUE
Have you tried these filter variants? clientAccountEnabled=1 clientAccountEnabled=0 &(clientAccountEnabled) &(!clientAccountEnabled)
K.
Try variants of:
(&(&(uid=robert)(objectClass=clientAccount))(clientAccountEnabled=TRUE))
The & operator is diadic and the previous queries were triadic so factor out into two diadic operations. Try the. Pole an filter on it's own to validate that component then. Ombine after.
Either that or your ldap filter implementation isn't equating TRUE with the Boolean oid type. Check for string issues like spaces or non-printables? (guessing at this point)
On 12-07-17 02:57 PM, Sean Cody wrote:
'(&(objectClass=clientAccount)(clientAccountEnabled=TRUE))' - fails '(&(objectClass=clientAccount))' - works.
Also tried the nested diadic filter above.
I don't think string issues and/or spacing is an issue - I wasn't able to set the clientAccountEnabled field to anything but "TRUE" or "FALSE" .. syntax errors occurred as soon as I tried to set it to anything other than those.
It must be that the boolean OID type isn't being matched by the ldapsearch. Gah.
Rob
For those interested, after a little bit of thought I found the issue.
I took a look at what "uidNumber" and "gidNumber" were defined as, as their schemas are also in the LDAP tree.
In my schema I was missing one key thing. The EQUALITY field.
Specifically, the schema should have been defined as this:
# {4}client, schema, config dn: cn={4}client,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}client olcAttributeTypes: {0}(1.1.1.1 NAME 'clientAccountEnabled' EQUALITY booleanMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {1}(1.1.1.2 NAME 'clientDownloadsAvailable' EQUALITY intege rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcObjectClasses: {0}(1.1.2.1 NAME 'clientAccount' DESC 'A Client Account' SUP top AUXILIARY MUST ( uid $ clientAccountEnabled $ clientDownloadsAvailable ) )
All the best, Rob
-
Robert Keizer -
Sean Cody