Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAP Search for manager

6 views
Skip to first unread message

DaveMo

unread,
Jul 14, 2009, 6:07:55 PM7/14/09
to
Hi all,

I'm trying to create a DirectorySearcher filter that will allow me to
search for all objects with a certain person (named "foo") as their
manager. Of course this is DN attribute, so I figured I could just use
the name and contains semantics.

So I construct a filter like:

(&(manager=*foo*))

I was hoping it would work. It doesn't.

Do DN attribute types support this kind of search?

TIA
Dave

Joe Kaplan

unread,
Jul 14, 2009, 10:36:09 PM7/14/09
to
You have stumbled into one of the weird behaviors of AD which is that
DN-syntax attributes like manager do NOT support any type of substring match
but must be exact matches.

There are actually a few other attribute syntaxes that also don't support
substring matches, but this is the one that people generally want to do that
they can't.

I think the limitation actually comes from the way DN data is stored in the
directory (basically as a reference and not as a string; the string
representation is dynamically generated by the DS for LDAP calls). Other
directories don't behave this way. I'm uncertain as to whether there is any
spec-compliance argument about this behavior either way.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"DaveMo" <david....@gmail.com> wrote in message
news:16b11ae8-a9eb-4576...@c2g2000yqi.googlegroups.com...

DaveMo

unread,
Jul 15, 2009, 9:16:25 AM7/15/09
to
On Jul 14, 7:36 pm, "Joe Kaplan"

<joseph.e.kap...@removethis.accenture.com> wrote:
> You have stumbled into one of the weird behaviors of AD which is that
> DN-syntax attributes like manager do NOT support any type of substring match
> but must be exact matches.
>
> There are actually a few other attribute syntaxes that also don't support
> substring matches, but this is the one that people generally want to do that
> they can't.
>
> I think the limitation actually comes from the way DN data is stored in the
> directory (basically as a reference and not as a string; the string
> representation is dynamically generated by the DS for LDAP calls).  Other
> directories don't behave this way.  I'm uncertain as to whether there is any
> spec-compliance argument about this behavior either way.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net"DaveMo" <david.mow...@gmail.com> wrote in message

>
> news:16b11ae8-a9eb-4576...@c2g2000yqi.googlegroups.com...
>
>
>
> > Hi all,
>
> > I'm trying to create a DirectorySearcher filter that will allow me to
> > search for all objects with a certain person (named "foo") as their
> > manager. Of course this is DN attribute, so I figured I could just use
> > the name and contains semantics.
>
> > So I construct a filter like:
>
> > (&(manager=*foo*))
>
> > I was hoping it would work. It doesn't.
>
> > Do DN attribute types support this kind of search?
>
> > TIA
> > Dave- Hide quoted text -
>
> - Show quoted text -

Thanks Joe. That's pretty much what I expected but it's great to have
the confirmation so I can stop staring at my code trying to figure out
what's wrong :)

Dave

Carl K

unread,
Sep 15, 2009, 11:33:02 AM9/15/09
to
There is another option that I have done.

Basically... since the dn is a contatination of sorts of the cn and the
relative domain location of the object, you can do a search based on your
input against cn and get a list of all objects where the cn matchs your query
and then get the distinguishedName for each search result. Then pass those
distinguished names to a new query against the manager field.

0 new messages