Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ldap search: error code 34 - Invalid DN Syntax

899 views
Skip to first unread message

Wolfgang Schreiber

unread,
Jun 10, 2005, 12:23:52 PM6/10/05
to
My LDAP search filter works fine for standard attributes, e.g.

(&(objectClass=inetOrgPerson)(sn=adm*))

But when I try searchin DN attributes
(&(objectClass=inetOrgPerson)(manager=adm*))
I get error code 34 (Invalid DN Syntax)

This happens in my java class - using the same filter in an ldap browser
returns no results

I've searched Google and found references to the ":dn:" prefix ... like

(&(objectClass=inetOrgPerson)(manager:dn:=admin))
or
(&(objectClass=inetOrgPerson)(dn:manager=admin))

.. but these won't work either. What is the trick to search DN
attributes?


Thanx

Wolfgang


@novell.com Susan Perrin

unread,
Jun 10, 2005, 4:36:45 PM6/10/05
to
Hi Wolfgang,

The dn syntax doesn't support substring matching, only equality as
documented at
http://developer.novell.com/ndk/doc/ndslib/schm_enu/data/sdk5582.html#sdk5582

So when I search for

ldapsearch -h localhost -D cn=admin,o=novell -w novell
(manager=cn=bob,o=novell) manager

it works fine but (manager=bo*) or (manager=cn=bo*) fails with inappropriate
matching 18.

I'd like to know what browser this works for you with. I tried u of mich
ldap browser and although it's not returning the error, I see the error in
dstrace and get no results in the browser. Please let me know because I'm
quite curious.

The syntax you mention for dn: is part of extensible match which is
supported in eDirectory 8.7 and later. The eDirectory implementation of
extensible match only supports the condition to allow matching to components
of the object's Distinguished Name as well as attributes of the object. So
I don't think it's going to help you in your request. ExtensibleMatch.java
is a sample that ships with the NDK.

Thank you
Susan


Wolfgang Schreiber

unread,
Jun 13, 2005, 1:51:19 PM6/13/05
to
Thanks Susan - helpful as always!

I wasn't even aware that this is a schema limitation, a real pity.

> I'd like to know what browser this works for you with.

The browser I tested may be the same that you used (Univ of Michigan Java
LDAP browser - www.iit.edu/~gawojar/ldap) but as I mentioned, it simply
returns no results.

So, if the customer insists on this feature, I guess I'd have to do two
steps,
* get the DNs that match the filter CN=xxx*
* pass the results to the next search on the DN attribute and check on
equality


Thanks again

Wolfgang


"Susan Perrin" <devsup @novell.com> wrote in message
news:xRmqe.1147$Ga7...@prv-forum2.provo.novell.com...

@novell.com Susan Perrin

unread,
Jun 13, 2005, 2:51:48 PM6/13/05
to
>> I mentioned, it simply
>> returns no results.

I totally missed that and I can't blame my vision because I just got new
glasses. Sorry!

Your approach seems reasonable if I understand correctly. Get the fdn of
the manager then you can search on objects based on manager=fdn (or'd if
there's more than one). Since cn is indexed this should be faster than
doing the string compares yourself.

Thank you
Susan


0 new messages