tags:

views:

177

answers:

2
Q: 

LDAP query on a OU with * in the title. How?

Hi, I'm having difficults I believe with a * character being in my OU when I'm doing a search. The OU group is called WorldWide Offices.

I have a looping query that returns all the users who are in a given group. So I type in a group name, and this brings me back a group. Then I loop through the group.members.

These members will either be a user or another group. So if it's not a user I would then loop through again to check if it's a group. The members of the group are always the DistinguishedName, and that's all I have to search on.

I'm having a current user with the DistinguishedName as CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=Worldwide Offices,DC=OurDomain,DC=LOCAL.

I'm doing a DirectorySearcher and my filter is

Searcher.Filter = "(&(&(objectClass=user)(!(objectClass=computers)))(distinguishedName=CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=*Worldwide Offices*,DC=OurDomain,DC=LOCAL))

As you can see, I think the fact that our OU has * in it's title is the reason why it doesn't find the user. Any other OU that doesn't have a * in it seems to work. Which is why I believe the * is the problem.

Does anyone have any idea how to get around the * problem, apart from renaming the OU?

A:  
Searcher.Filter = "(&(&(objectClass=user)(!(objectClass=computers)))(distinguishedName=CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=\2aWorldwide Offices\2a,DC=OurDomain,DC=LOCAL))

A * must be escaped with a \2a - please see MSDN "Search Filter Syntax":

If any of the following special characters must appear in the search filter as literals, they must be replaced by the listed escape sequence.

* => \2a
( => \28
) => \29
\ => \5c
NUL => \00
/ => \2f

Simply escaping it with a \ should work too:

Searcher.Filter = "(&(&(objectClass=user)(!(objectClass=computers)))(distinguishedName=CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=\*Worldwide Offices\*,DC=OurDomain,DC=LOCAL))
Stefan Gehrig  2010-04-15 10:22:42
+1  A: 

The wild card only work if the attribute type is some string type. (octet string, unicode string). if you use * agains the attribute like givenName, displayName then the wild cards will be honored. But the distinguished name is of type "Distinguished Name", hence the substring match wont be turned on by the server.

if you use * against objectcategory, dn, distinguishedname... you can see the wildcard not working.

Your logic need to be changed.

kalyan  2010-04-15 11:23:12

related questions

ejabberd - LDAP authentication
Check LDAP connection (Java)
Different spring XML files for development environment vs. deployment when using maven
How do I add custom properties to an AD group in Windows?
How to use client certificates in Apache httpd to connect to an LDAP for authorization?
Getting all direct Reports from Active Directory
Implementing LDAP compliance
Updating OpenLDAP using a Java class
bind Linux to Active Directory using kerberos
I want to use an LDAP client here at work to talk to Active Directory. How can I discover on my own the IP I should be aiming at?
Authenticating in PHP using LDAP through Active Directory
How can I configure Microsoft ADAM to be similar to Active Directory?
LDAP entire subtree copy
App to Change Ldap Password for a JIRA/SVN server
Authenticating against active directory using python + ldap
Example client implementation for the Service Location Protocol?
How can you find available ldap servers from a computer in the same network, but different domain?
How to connect to LDAP store with VB6
VB.Net "There is a naming violation" Error with open ldap for creating user
Querying Active Directory with "SQL"?
Is there an ldap C/C++ library that provides fail over?
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Mail Storage Quota Checker in C#