Why is this not working?
Serge A. Ribalchenko
Im trying to get a list of available entries from ldap by simple filter:
attribute cn must be less than 1000 and greater than 500. According to
Net::LDAP documentation this could be done like this:
001: #!/usr/bin/env perl
002:
003:
004: use strict;
005: use warnings;
006:
007: use Net::LDAP;
008:
009: my $ldap = Net::LDAP->new('192.168.9.111');
010: my $mesg = $ldap->bind('cn=root,dc=lomonosov,dc=parallel,dc=ru',
password => 'rootpw');
011:
012: $|=1;
013:
014: print "Searching for uids less than 1000 and gt 500... ";
015:
016: $mesg =
017: $ldap->search(
018: base => "ou=slurm,dc=lomonosov,dc=parallel,dc=ru",
019: filter => "&(cn<=1000)(cn>=500)"
020: );
021:
022: $mesg->code && die $mesg->error;
023:
024: print "Ok\nFound: ";
025:
026: print join ", ", map $_->get_value("cn"), $mesg->entries;
But it produces:
001: Searching for uids less than 1000 and gt 500... Ok
002: Found:
I know that there is a two hundred or so entries in ldap for this
request,
001: fisher% ldapsearch -h 192.168.9.111 -D
"cn=root,dc=lomonosov,dc=parallel,dc=ru" -w "rootpw" -b
"ou=slurm,dc=lomonosov,dc=parallel,dc=ru" "&(cn>600)(cn<1000)" |tail -3
002:
003: # numResponses: 145
004: # numEntries: 144
In fact, the problem experienced on a simple filters with 'less than' or
'greater than' comparisions; complex search filters like
'|(cn=527)(cn=528)' works just fine. What am I doing wrong? How can I
get a list of entries with said filter?
--
Serge A. Ribalchenko <val...@gmail.com>
Andrej
> 016: $mesg =
> 017: $ldap->search(
> 018: base => "ou=slurm,dc=lomonosov,dc=parallel,dc=ru",
> 019: filter => "&(cn<=1000)(cn>=500)"
> 020: );
> In fact, the problem experienced on a simple filters with 'less than' or
> 'greater than' comparisions; complex search filters like
> '|(cn=527)(cn=528)' works just fine. What am I doing wrong? How can I
> get a list of entries with said filter?
I think your problem is the fact that LDAPs '>' and '<' smaller
work lexicographically, not numerically.
1000 is smaller than 500 (as far as strings go), hence you won't
find any users that qualify for BOTH.
Cheers,
Andrej
--
Please don't top post, and don't use HTML e-Mail :} Make your quotes concise.
Peter Marschall
On Monday, 5. September 2011, Serge A. Ribalchenko wrote:
> Im trying to get a list of available entries from ldap by simple filter:
> attribute cn must be less than 1000 and greater than 500. According to
> Net::LDAP documentation this could be done like this:
>
> 019: filter => "&(cn<=1000)(cn>=500)"
The problem is not in perl-ldap, but on the server side.
If the attributeType used in the does not support the ORDERING matching rule,
then you are out of luck.
You can find the matching rules supported by the various attributeTypes in the
schema.
Here's the definition taken from my OpenLDAP server (as OpenLDAP adheres to
the RFCs vry strictly, I am pretty confident, it is exactly as in the RFCs):
attributeTypes: ( 2.5.4.41 NAME 'name'
DESC 'RFC4519: common supertype of name attributes'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' )
DESC 'RFC4519: common name(s) for which the entity is known by'
SUP name )
It says:
* the attributetype 'name' has matching rules for EQUALITY & SUBSTR only
* 'cn' is derived from 'name'
No luck in this case, sorry!
Best
Peter
PS: It is possible that some LDAP server implementations implement extensions
on the matching rules that are not shown in the schema, but as this is non-
standard, the results depend in the specific implementation (e.g. lexical
instead of numerical sorting, ...)
--
Peter Marschall
pe...@adpm.de
Serge A. Ribalchenko
Thank you for your help (and especially Peter's), the problem has been
solved. And yes, it is server-side.
for details see http://perlmonks.org/?node_id=924269
--
Serge A. Ribalchenko <fis...@tpaba.org.ua>