Query all the users in a system with LDAP

Question

I am using ruby's net/ldap library for this problem but in reality the driver language shouldn't really matter. I need to find a way to be able to get all the users from a system and find out which users do not have emails assigned to the account. Is it possible?

I can connect to and even create new records through LDAP, and can return queries by using wildcard entries to filter results.

given i create a filter to find the cn that begins with three 9's:

  filter = Net::LDAP::Filter.eq("cn", "999*")
  @connection.search(:base => "cn=Manager, dc=foo, dc=bar, dc=biz", 
                     :filter  => filter)

then my result count might be 42.

given i create the same filter but request only 1 nine, the query fails and returns false

  filter = Net::LDAP::Filter.eq("cn", "9*")
  @connection.search(:base => "cn=Manager, dc=foo, dc=bar, dc=biz", 
                     :filter  => filter)

and this is the same if I request just "cn", "*" which to me should say "give me all the cn's out there. ".

Answer 1

So the short answer to the question is that it all depends on how your schema is setup. If you are setting up an LDAP schema, you need to have several groups of records with various cn (common name) identifiers, eg cn=activeUsers and cn=inactiveUsers which will allow you to query down the list much deeper than in my situation.

Answer 2

I think that you have an issue with time limit set on search operations at the LDAP server.

If you have a really big search that takes much time, the LDAP server returns an error 'Time limit exceeded' and no data.

Ruby-Ldap in such a case raises an exception LDAP::ResultError. I don't know how Net-Ldap behaves however.

Try to raise the time limit at your LDAP server or use a tighter search filter such as '(&(cn=9*)(active=TRUE))'. Substitute here 'active=TRUE' with your criteria for active users.