Jevans78 Absent Member.
Absent Member.
1949 views

Search for objects with partial DN

Hi,

I have an issue where I need to search the vault for existing workorders using wildcards.

For example, disable workorders are created in the format:

cn=disable-user-CountryCode-StaffID-Date(ddmmYYYY)

Ideally when a termination date of a user is changed, I'd like the loopback driver to query the vault for workorders with their StaffID in
e.g: for a UK user "12345" it should query the workorders container for all workorders with a cn containing the text "disable-user-UK-1235"

I've tried this with policy (do-find-matching-object) and failed, so I'm assuming there will need to be an XPATH statement which would return a nodeset of results. The end action would be to delete any existing workorders that match.

Is this even possible, and if so does anyone have a starting point I could work with?

Thanks is advance.
John
Labels (1)
Tags (2)
0 Likes
12 Replies
Knowledge Partner
Knowledge Partner

Re: Search for objects with partial DN

Jevans78 wrote:

> Is this even possible, and if so does anyone have a starting point I
> could work with?


I do not think you can use wildcards in DNs at all. You would need the relevant
values in attributes on the workorder objects to search for them in the way you
like it to do. In this case you'd have set something like workforceID and a due
date. For the latter DirXML-DueDate might already be set if you're lucky.
If you're not lucky you could set up a loopback driver to create/maintain the
required attributes from the object name (or add such code to the Workorder
driver directly).

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Search for objects with partial DN

On 04/28/2016 08:41 AM, Lothar Haeger wrote:
> Jevans78 wrote:
>
>> Is this even possible, and if so does anyone have a starting point I
>> could work with?

>
> I do not think you can use wildcards in DNs at all. You would need the relevant
> values in attributes on the workorder objects to search for them in the way you
> like it to do. In this case you'd have set something like workforceID and a due


I do not think this extra work is done; the CN value is there, so search
against it directly.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Search for objects with partial DN


I think you might need to do a query with the query token and store the
result in a nodeset variable.

You can then do a for each over the nodeset and do a regex compare.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=55785

0 Likes
Knowledge Partner
Knowledge Partner

Re: Search for objects with partial DN

On Thu, 28 Apr 2016 14:06:03 +0000, Jevans78 wrote:

> I have an issue where I need to search the vault for existing workorders
> using wildcards.
>
> For example, disable workorders are created in the format:
>
> cn=disable-user-CountryCode-StaffID-Date(ddmmYYYY)
>
> Ideally when a termination date of a user is changed, I'd like the
> loopback driver to query the vault for workorders with their StaffID in
>
> e.g: for a UK user "12345" it should query the workorders container for
> all workorders with a cn containing the text "disable-user-UK-1235"
>
> I've tried this with policy (do-find-matching-object) and failed, so I'm
> assuming there will need to be an XPATH statement which would return a
> nodeset of results. The end action would be to delete any existing
> workorders that match.


You could probably leverage Lothar's ldapsearch ECMAScript to do the
search. LDAP search deals with wildcards in the search filter. You'll get
back a nodeset of matching objects.


--
David Gersic
Knowledge Partner http://forums.microfocus.com
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Search for objects with partial DN

David Gersic wrote:

> You could probably leverage Lothar's ldapsearch ECMAScript to do the
> search. LDAP search deals with wildcards in the search filter. You'll get
> back a nodeset of matching objects.


I actually wrote that ldapsearch for a very similar scenario: search for
accounts with a timestamp smaller than X. LDAP searches not only allow for
wider wildcard use than token query or do-find-matching-object, they also
support more operators, especially <= and >=.

So if the OP writes the due date to a timestamp attribute (can be string syntax
but must be sortable and comparable by <= and >= e.g. as yyyyMMdd), the search
can be crafted in a way that it returns just the desired objects and no looping
over a result(super)set is required. Whether that's worth the trouble of
setting up ldapsearch depends on the perfomance requirements. If the typical
nodeset to process would have more than a few hundred elements or you'd have to
perform the search very often (every X seconds rather than hours or days), it
might be reasonable to look into it.

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Search for objects with partial DN

On 4/28/2016 12:06 PM, Lothar Haeger wrote:
> David Gersic wrote:
>
>> You could probably leverage Lothar's ldapsearch ECMAScript to do the
>> search. LDAP search deals with wildcards in the search filter. You'll get
>> back a nodeset of matching objects.

>
> I actually wrote that ldapsearch for a very similar scenario: search for
> accounts with a timestamp smaller than X. LDAP searches not only allow for
> wider wildcard use than token query or do-find-matching-object, they also
> support more operators, especially <= and >=.
>
> So if the OP writes the due date to a timestamp attribute (can be string syntax
> but must be sortable and comparable by <= and >= e.g. as yyyyMMdd), the search
> can be crafted in a way that it returns just the desired objects and no looping
> over a result(super)set is required. Whether that's worth the trouble of
> setting up ldapsearch depends on the perfomance requirements. If the typical
> nodeset to process would have more than a few hundred elements or you'd have to
> perform the search very often (every X seconds rather than hours or days), it
> might be reasonable to look into it.
>


I've used this approach many times as well. I much prefer the ldapsearch approach. I think not having wildcards in the
tokens is a major shortcoming.

I believe Geoffrey also has an article about how to SSL enable the ldapsearch library. Actually, I think Lothar's later
versions might already include that now that I think about it.


--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Search for objects with partial DN

Will Schneider <descent@no-mx.forums.netiq.com> wrote:
>
>
> I believe Geoffrey also has an article about how to SSL enable the
> ldapsearch library. Actually, I think Lothar's later
> versions might already include that now that I think about it.
>
>


Lothar's version does do SSL. Has done for a long time.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Search for objects with partial DN

On 4/29/2016 1:41 AM, Alex Mchugh wrote:
> Will Schneider <descent@no-mx.forums.netiq.com> wrote:
>>
>>
>> I believe Geoffrey also has an article about how to SSL enable the
>> ldapsearch library. Actually, I think Lothar's later
>> versions might already include that now that I think about it.
>>
>>

>
> Lothar's version does do SSL. Has done for a long time.
>


See, I need to update my packages 🙂 Silly me 🙂

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Search for objects with partial DN


Yep, that's quicker than the query token.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=55785

0 Likes
Jevans78 Absent Member.
Absent Member.

Re: Search for objects with partial DN

Hi all,

Thanks for the replies. I think the easiest/most efficient way is to set searchable attributes on the workorders when they are created. I can then match using these, so I'll test this way.

Many thanks
John
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Search for objects with partial DN

On 4/29/2016 3:16 AM, Jevans78 wrote:
>
> Hi all,
>
> Thanks for the replies. I think the easiest/most efficient way is to set
> searchable attributes on the workorders when they are created. I can
> then match using these, so I'll test this way.
>
> Many thanks
> John
>
>

Remember that you can use multiple attributes to search on. So using specific things instead of concatenated things is
probably more useful.

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Search for objects with partial DN

Jevans78;2427522 wrote:
Hi all,

Thanks for the replies. I think the easiest/most efficient way is to set searchable attributes on the workorders when they are created. I can then match using these, so I'll test this way.

Many thanks
John


Hi John.
Ldapsearch is pretty easy way to get required results:
Ldapsearch can populate nodeset with DN of objects, that satisfied your "filter".
Now just work with objects from this nodeset.

Alex
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.