Operational attributes in searches

Home Forums ForgeRock Products Directory Services Operational attributes in searches

Learn more about our upcoming Identity Summits

Tagged: ,

This topic contains 4 replies, has 3 voices, and was last updated by  Ludo 10 months, 1 week ago.

  • Author
    Posts
  • September 11, 2018 at 10:57 pm #23172
     pos 
    Participant

    Hi

    I want to do certain searches including operational attributes. These searches will be manual and just few times a month.

    If I run a test search similar to this as Directory Manager…
    ‘(&(cn=*)(objectclass=inetorgperson)(ismemberof=*test*))’ cn givenname sn ismemberof
    I don’t get any users…

    If I remove the ismemberof part in the *and* filter I get the user objects to pic attributes from. The purpose was to only return the user objects that is member of groups that has “test” in the dn.

    Is it not possible to include ismemberof in search filters?

    Testing on OpenDJ 2.6

    Tnx
    /Peo

    September 12, 2018 at 1:00 am #23175
     Bill Nelson 
    Participant

    ForgeRock had some bugs in OpenDJ 2.6 pertaining to searches involving virtual attributes (i.e. ismemberof). I am not saying this is the one you are running into, but check out OPENDJ-4557 and look for other possible bugs that may be related.

    Keep in mind that ismemberof is a virtual attribute that is dynamically created upon group membership. It is not not persisted in the database. Searching on virtual attributes can be an expensive operation at times so use with care.

    Now, having said that, have you tried various combinations of search filters, such as:

    (ismemberof=cn=my group,ou=groups,dc=example,dc=com) – focus on one group to see how that behaves

    or

    (ismemberof=*group*) – without any of the additional “and” filters?

    September 12, 2018 at 10:05 am #23177
     Ludo 
    Moderator

    It is possible to use isMemberOf in the filter, but isMemberOf has a syntax of a Distinguished Name (DN) and in the LDAP Specifications, there is no such thing as a DN subStringMatching rule.
    So the search is undefined as will return no entry.

    September 12, 2018 at 10:16 am #23178
     pos 
    Participant

    Ahhh

    Should I interpret you as it is not possible to use any type of wildcard match with this then? Any other ideas around this?

    It will not suite my needs if I have to specify a complete DN in the ismemberof value in the filter. Then I have to do an export a wider search and mangle it with sed or perl…

    /Peo

    September 12, 2018 at 10:41 am #23179
     Ludo 
    Moderator

    Yes, it is not possible to match DN with wild cards (in fact Substring match).
    The isMemberOf is a DN to avoid ambiguity with 2 groups having the same “common name” but stored in different suffixes.

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?