I'm trying to search an LDAP server for all items with exactly the attributes specified.
The LDAP schema I'm dealing records user roles by:
- creating a object type that may contain any of several attributes (the roles), and
- setting the each role's value to be the same as its name
The attributes do not share a common base type, and the objectclass ("roleuser") contains other attributes that are not roles. Roles are distinguished by attribute names that end in "Role". (Yuck.)
Example. A user's object types would include object type roleuser, and might have the following attributes=value pairs:
cn=userX
objectclass=roleuser,...
managerrole=managerrole
clerkrole=clerkrole
cn=userY
objectclass=roleuser,...
managerrole=managerrole
cn=userZ
objectclass=roleuser,...
clerkrole=clerkrole
I'm able to look up clerks, and managers, and manager clerks. But when I look up clerks (with (&(clerkrole=*)(objectclass=roleuser))), I get back users both with role clerk (userZ) and those with roles manager and clerk (userX).
I could specify (&(clerkrole=*)(!managerrole=*)(objectclass=roleuser))) to get clerks who are not managers. But that would require me to list (and negate) all possible other roles.
For various reasons, I don't want my application to have to know all possible roles, as these may change more quickly than my application will.
So. Is there a way to query the schema for all attributes that are in roleuser and are named *role, so that I could dynamically specify (and negate) all other roles?
Or is there a way to query for (clerkrole=*) and no other attribute named *role exists on that roleuser?