Knowledge Partner
Knowledge Partner
723 views

Question about wildcard query for DN attributes


Hello folks,
I have a business case, when I need to find all managers with "lost"
directReports (objects from Inactive OU).

I know, that "internal" query token <token-query> don't support wild
card for matching.
From beginning I didn't worry too much: I though, that I can do it via
LDAP query.
After number of tests I found, that this type of query is not available
thru LDAP. 😞

> Regarding match algorithms of LDAP filters, LDAP directory systems
> comply with the specifications of the original X.500 standards.
> According to these matching rules you can't use wildcards in LDAP
> filters for attributes containing LDAP distinguished names (attributes
> with DN-string syntax).
>
> Even more important could be the search for objects in a specific OU.
> Especially, when only the declaration of a pure filter string is allowed
> and when there is no possibility to specify the search base of an LDAP
> search.Thus, the following filter won't work!
> (distinguishedName=*,ou=Sydney,dc=cerrotorre,dc=org)


Catch-22: This type of query is not available from LDAP and don't
available (?) from standard token! 😞

Folks, maybe somebody have any idea how to deal with this?
I will repeat my scenario: find all objects, that have directReports or
managers form specific OU. :confused:

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55244

Labels (1)
0 Likes
12 Replies
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes

On Mon, 25 Jan 2016 20:44:01 +0000, al b wrote:

> Folks, maybe somebody have any idea how to deal with this? I will repeat
> my scenario: find all objects, that have directReports or managers form
> specific OU. :confused:


Query for all, then filter out the ones you don't want because they don't
match your criteria.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes

Since directReports and manager are often set together, you may find it
useful to find any objects under the inactive container with a manager at
all, then focus on those. It's not perfect, since setting the one does
not mean setting the other, but if you have only used automated/standard
eDirectory tools to manage these users, that may be pretty reliable.

Otherwise, David's right: Query for them, then iterate over them in
ECMAscript or some other language.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes


ab;264478 Wrote:
> Since directReports and manager are often set together, you may find it
> useful to find any objects under the inactive container with a manager
> at
> all, then focus on those. It's not perfect, since setting the one does
> not mean setting the other, but if you have only used
> automated/standard
> eDirectory tools to manage these users, that may be pretty reliable.
>
> Otherwise, David's right: Query for them, then iterate over them in
> ECMAscript or some other language.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


This procedure conceived as a "automated" cleanup procedure for some
"sync after move" problem (that extremely hard to catch).

In very simplified explanation, we have driver that move terminated
people to Inactive OU. Before this move operation, driver make "cleanup"
procedure (remove from object Manager info - reciprocal to DirectReport
and some other attributes). Thousands times all operation completed
successfully without any "stack" attributes, but from time to time we
found some "wrong" Manager or DirectReports info.
My suspicious that this is result of "wrong" synchronization-after-move
(between partitions) from one of the servers in the replica ring. The
situation is deteriorating so that we still have very "old" 7.3.9
servers in the tree. These servers will be decommissioned soon, but
currently they alive.

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55244

0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes


dgersic;264476 Wrote:
> On Mon, 25 Jan 2016 20:44:01 +0000, al b wrote:
>
> > Folks, maybe somebody have any idea how to deal with this? I will

> repeat
> > my scenario: find all objects, that have directReports or managers

> form
> > specific OU. :confused:

>
> Query for all, then filter out the ones you don't want because they
> don't
> match your criteria.
>
>
> --
> --------------------------------------------------------------------------
> David Gersic
> dgersic_@_niu.edu
> Knowledge Partner
> http://forums.microfocus.com
>
> Please post questions in the forums. No support provided via
> email.
> If you find this post helpful, please click on the star below.


Thank you, David!
Unfortunately this solution is not really practical for me: I don't
think, that Java/engine memory handler will handle nodeset from 15k
manager objects with 60-120k direct reports.

I think about possibility to split it to "small" chunks (50-100
objects).
If for example, it would be possible from query token, possible to use
loop with query for 50 objects, run "cleanup" logic and repeat this
query again.

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55244

0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes

> Thank you, David!
> Unfortunately this solution is not really practical for me: I don't
> think, that Java/engine memory handler will handle nodeset from 15k
> manager objects with 60-120k direct reports.


<query-ex>. In the Query token, specify max-results (say 50), that
chunks the results, and you can loop over the query, and it will loop
over 50 and if you do what you need to do inside the loop, you never
have a 15,000 object variable, only 50 at a time.

It is not obvious, but for each over a Query, with max-results does what
you need.

> I think about possibility to split it to "small" chunks (50-100
> objects).
> If for example, it would be possible from query token, possible to use
> loop with query for 50 objects, run "cleanup" logic and repeat this
> query again.
>
> Alex
>
>


0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes

On 01/25/2016 06:58 PM, Geoffrey Carman wrote:
>> Thank you, David!
>> Unfortunately this solution is not really practical for me: I don't
>> think, that Java/engine memory handler will handle nodeset from 15k
>> manager objects with 60-120k direct reports.

>
> <query-ex>. In the Query token, specify max-results (say 50), that chunks
> the results, and you can loop over the query, and it will loop over 50 and
> if you do what you need to do inside the loop, you never have a 15,000
> object variable, only 50 at a time.
>
> It is not obvious, but for each over a Query, with max-results does what
> you need.


And on the topic of things not obvious, Geoffrey used "for each" as a verb
here, and maybe that's obvious to everybody else, but I thought for a
second there he'd forgotten English (or at least Canadian) grammar rules.
Falling back on silly things like that, replace "for each" with "iterate
using for-each" and everything suddenly sounds correct.

It's not often Geoffrey misses an opportunity to make a sentence longer,
and now I am glad he seldom does (miss that opportunity for, perhaps
ironically, clarity reasons). 😉

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes

On 1/25/2016 9:04 PM, ab wrote:
> On 01/25/2016 06:58 PM, Geoffrey Carman wrote:
>>> Thank you, David!
>>> Unfortunately this solution is not really practical for me: I don't
>>> think, that Java/engine memory handler will handle nodeset from 15k
>>> manager objects with 60-120k direct reports.

>>
>> <query-ex>. In the Query token, specify max-results (say 50), that chunks
>> the results, and you can loop over the query, and it will loop over 50 and
>> if you do what you need to do inside the loop, you never have a 15,000
>> object variable, only 50 at a time.
>>
>> It is not obvious, but for each over a Query, with max-results does what
>> you need.

>
> And on the topic of things not obvious, Geoffrey used "for each" as a verb
> here, and maybe that's obvious to everybody else, but I thought for a


Meh, Alex knew what I meant. For Each is kind of a verb, when used with
'over'. Pshaw!

> second there he'd forgotten English (or at least Canadian) grammar rules.
> Falling back on silly things like that, replace "for each" with "iterate
> using for-each" and everything suddenly sounds correct.


What he said.

>
> It's not often Geoffrey misses an opportunity to make a sentence longer,


They don't pay by the word here! Never start a fight with a man who
buys ink by the barrel! I wear off keyboard keys by the lot!

> and now I am glad he seldom does (miss that opportunity for, perhaps
> ironically, clarity reasons). 😉




0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes


ab;264483 Wrote:
> On 01/25/2016 06:58 PM, Geoffrey Carman wrote:
> >> Thank you, David!
> >> Unfortunately this solution is not really practical for me: I don't
> >> think, that Java/engine memory handler will handle nodeset from 15k
> >> manager objects with 60-120k direct reports.

> >
> > <query-ex>. In the Query token, specify max-results (say 50), that

> chunks
> > the results, and you can loop over the query, and it will loop over 50

> and
> > if you do what you need to do inside the loop, you never have a

> 15,000
> > object variable, only 50 at a time.
> >
> > It is not obvious, but for each over a Query, with max-results does

> what
> > you need.

>
> And on the topic of things not obvious, Geoffrey used "for each" as a
> verb
> here, and maybe that's obvious to everybody else, but I thought for a
> second there he'd forgotten English (or at least Canadian) grammar
> rules.
> Falling back on silly things like that, replace "for each" with
> "iterate
> using for-each" and everything suddenly sounds correct.
>
> It's not often Geoffrey misses an opportunity to make a sentence
> longer,
> and now I am glad he seldom does (miss that opportunity for, perhaps
> ironically, clarity reasons). 😉
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Folks,
Now I'm lost 😞

It was my original idea in the loop make query for directReport with
wildcard instead name (*,ou=Inactive,o=XXX or XXX\Inactive\*) with
max-results 20, get nodeset of managers with inactive DR, take required
actions, repeat the query ...

Approach to do same steps for EVERY manager (without preliminary
"filtering" of this scope ONLY to managers with "invalid" employees)
potentially will work, but it will be very far from the "optimal":
instead dealing with 200-300 records it will push me to deal with
15-20k.

I had a hope, that may be somebody has own "magic" way to deal with
"wildcard" query for DN attributes. 🙂 LDAP can't help here. 😞

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55244

0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes

On Tue, 26 Jan 2016 04:04:01 +0000, al b wrote:

> ab;264483 Wrote:
>> On 01/25/2016 06:58 PM, Geoffrey Carman wrote:
>> >> Thank you, David!
>> >> Unfortunately this solution is not really practical for me: I don't
>> >> think, that Java/engine memory handler will handle nodeset from 15k
>> >> manager objects with 60-120k direct reports.
>> >
>> > <query-ex>. In the Query token, specify max-results (say 50), that

>> chunks
>> > the results, and you can loop over the query, and it will loop over
>> > 50

>> and
>> > if you do what you need to do inside the loop, you never have a

>> 15,000
>> > object variable, only 50 at a time.
>> >
>> > It is not obvious, but for each over a Query, with max-results does

>> what
>> > you need.

>>
>> And on the topic of things not obvious, Geoffrey used "for each" as a
>> verb
>> here, and maybe that's obvious to everybody else, but I thought for a
>> second there he'd forgotten English (or at least Canadian) grammar
>> rules.
>> Falling back on silly things like that, replace "for each" with
>> "iterate
>> using for-each" and everything suddenly sounds correct.
>>
>> It's not often Geoffrey misses an opportunity to make a sentence
>> longer,
>> and now I am glad he seldom does (miss that opportunity for, perhaps
>> ironically, clarity reasons). 😉
>>
>> --
>> Good luck.
>>
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below...

>
> Folks,
> Now I'm lost 😞
>
> It was my original idea in the loop make query for directReport with
> wildcard instead name (*,ou=Inactive,o=XXX or XXX\Inactive\*) with
> max-results 20, get nodeset of managers with inactive DR, take required
> actions, repeat the query ...
>
> Approach to do same steps for EVERY manager (without preliminary
> "filtering" of this scope ONLY to managers with "invalid" employees)
> potentially will work, but it will be very far from the "optimal":
> instead dealing with 200-300 records it will push me to deal with
> 15-20k.


The logic is the same. You'll do a query for all, set max-results to
enable the query-ex logic so you'll only get back 50 records at a time,
and for-each over the resulting nodeset. The shim will continue to feed
your policy 50 results at a time until it reaches the end of the logical
query.


> I had a hope, that may be somebody has own "magic" way to deal with
> "wildcard" query for DN attributes. 🙂 LDAP can't help here. 😞


DNs don't have a wildcard matching in the schema, so that's not going to
be possible.



--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes

> Folks,
> Now I'm lost 😞
>
> It was my original idea in the loop make query for directReport with
> wildcard instead name (*,ou=Inactive,o=XXX or XXX\Inactive\*) with
> max-results 20, get nodeset of managers with inactive DR, take required
> actions, repeat the query ...


So you wanted a query to find only the users, who match your desired
directReports DN.

what everyone seems to have conceded that you can not do that with a
wildcard. Though I am not entirely sure of that. But more on that later.

Thus the consensus was instead, you would need to read back all objects,
in blocks of 50 via Query-ex in a for-each loop, and then compare the
directReports and do what is needed with those you care about, discard
the rest.

I do not think anyone was suggesting store the nodeset of ones of
interest and process them later, since that would eat up memory in a
worst case.

> Approach to do same steps for EVERY manager (without preliminary
> "filtering" of this scope ONLY to managers with "invalid" employees)
> potentially will work, but it will be very far from the "optimal":
> instead dealing with 200-300 records it will push me to deal with
> 15-20k.
>
> I had a hope, that may be somebody has own "magic" way to deal with
> "wildcard" query for DN attributes. 🙂 LDAP can't help here. 😞


Anyone recall the link to the schema doc that defines search
characteristics for the various attributes? I think seeing what is
defined for directReports would help.

You know, you could do the reverse...

Loop over all Inactive users, and query for objects who has
directReports=$current-node

Then it is a lot of looping, but will only find the bad ones.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes


geoffc;264496 Wrote:
>
> Anyone recall the link to the schema doc that defines search
> characteristics for the various attributes? I think seeing what is
> defined for directReports would help.
>
> You know, you could do the reverse...
>
> Loop over all Inactive users, and query for objects who has
> directReports=$current-node
>
> Then it is a lot of looping, but will only find the bad ones.


Interesting idea about "Loop over all Inactive users": despite the fact
that it looks crazy (for the first look), currently this is the best
option! 🙂

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55244

0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about wildcard query for DN attributes

On 1/26/2016 12:14 PM, al b wrote:
>
> geoffc;264496 Wrote:
>>
>> Anyone recall the link to the schema doc that defines search
>> characteristics for the various attributes? I think seeing what is
>> defined for directReports would help.
>>
>> You know, you could do the reverse...
>>
>> Loop over all Inactive users, and query for objects who has
>> directReports=$current-node
>>
>> Then it is a lot of looping, but will only find the bad ones.

>
> Interesting idea about "Loop over all Inactive users": despite the fact
> that it looks crazy (for the first look), currently this is the best
> option! 🙂


Wait for it, Aaron will have some way of mocking this idea. I know I can
count on him!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.