Highlighted
Robert_W_Brandt Absent Member.
Absent Member.
1533 views

Simple LDAP question

How do I return the Distinguished Name of a LDAP object in a LDAP query?

For instance:
Filter => (objectClass=person)
Attributes Returned => mail, fullName, dn

Problem is that doesn't work...

In Active Directory you can use the attribute distinguishedName

Thanks
Bob
Labels (2)
0 Likes
10 Replies
Knowledge Partner
Knowledge Partner

Re: Simple LDAP question

On Fri, 02 Mar 2012 14:16:01 +0000, robert w brandt wrote:

> How do I return the Distinguished Name of a LDAP object in a LDAP query?


The DN of the objects found by your search filter are always returned.

> For instance:
> Filter => (objectClass=person)
> Attributes Returned => mail, fullName, dn
>
> Problem is that doesn't work...


Please define "doesn't work".


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Robert_W_Brandt Absent Member.
Absent Member.

Re: Simple LDAP question

dgersic;2178894 wrote:

Please define "doesn't work".

As in doesn't return any data...

For example if I run the query below I don't get the results I want:

root@workstation:~>ldapsearch -LLL -s sub -x -h ldap objectClass=person fullname mail dn

dn: cn=contact1,ou=mail,o=OPW
mail: contact.one@opw.ie
fullname: contact one

dn: cn=contact2,ou=mail,o=OPW
mail: contact.two@opw.ie
fullname: contact two

root@workstation:~>


Whereas I want the following results:

root@workstation:~>ldapsearch -LLL -s sub -x -h ldap objectClass=person fullname mail dn

dn: cn=contact1,ou=mail,o=OPW
mail: contact.one@opw.ie
fullname: contact one
dn: cn=contact1,ou=mail,o=OPW

dn: cn=contact2,ou=mail,o=OPW
mail: contact.two@opw.ie
fullname: contact two
dn: cn=contact2,ou=mail,o=OPW

root@workstation:~>
0 Likes
Knowledge Partner
Knowledge Partner

Re: Simple LDAP question

On Fri, 02 Mar 2012 16:36:01 +0000, robert w brandt wrote:

> dgersic;2178894 Wrote:
>>
>> Please define "doesn't work".
>>

> As in doesn't return any data...
>
> For example if I run the query below I don't get the results I want:
>
> Code:
> --------------------
>
> root@workstation:~>ldapsearch -LLL -s sub -x -h ldap
> objectClass=person fullname mail dn
>
> dn: cn=contact1,ou=mail,o=OPW
> mail: contact.one@opw.ie
> fullname: contact one
>
> dn: cn=contact2,ou=mail,o=OPW
> mail: contact.two@opw.ie
> fullname: contact two
>
> root@workstation:~>
>
> --------------------


That looks perfectly correct to me.


> Whereas I want the following results:
>
> Code:
> --------------------
>
> root@workstation:~>ldapsearch -LLL -s sub -x -h ldap
> objectClass=person fullname mail dn
>
> dn: cn=contact1,ou=mail,o=OPW
> mail: contact.one@opw.ie
> fullname: contact one
> dn: cn=contact1,ou=mail,o=OPW
>
> dn: cn=contact2,ou=mail,o=OPW
> mail: contact.two@opw.ie
> fullname: contact two
> dn: cn=contact2,ou=mail,o=OPW
>
> root@workstation:~>
>
> --------------------


Which looks totally wrong to me. "dn" is not an attribute of an object,
it's the object itself. No sane system should return "dn" as an attribute.



--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Simple LDAP question

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agreed. Getting the data back twice is a nice way to waste bandwidth
and processing, but the end result is that the client has the DN no
matter which attributes are returned. It's impossible to get attributes
without their linkage to some kind of object so getting the DN again is
wasting time.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPUTL7AAoJEF+XTK08PnB5xqEP/ivyVfAvfdEJMnw1f+/p+wSa
78xUVwQt8h637VL8evZA8yefQ9dDmpSMlCQRjHbc9LXBgMyk2kwXKRuaXM4EWY7l
tqGD8fX6KeX9Lux2QzI290BfdKXEiN/yTKgq2lqr91k3HgyhRX/M9B+NdW9rfjdo
DRwzYzd2hXXAghpc+MW2XbIsUg8ihg+xk1JSUlfOSvVlZS6/LiPDfN1a/FJquHL1
269xaBAQwKI+ZJK0R+8uxrTKI6UZY6DzU/4FH7YYLI8ZMxyImu8L0j+7oJgWdMNO
Ito9wwLJKuKKpDHntCupnjjkbZYNRs5t5Tn7H+iJWjBpFYLyViJqXgoZEZH8jbgy
RbvRj3CmF9GuVBOqKq51HI88dZ1VPn4B6o+XjTzTllv8O9e9jTNXpjfJQpZ9B/RI
oRlDxEjVrYSS49Lp2IPl13nWjr7HG0zv42kWuvhNxfoA3f0RN5uX7dmdSXhQmGjc
ctwSH/DktDVDtygmoI1biIvQmShA/bbWmzwpc14KAv2TBivv5UO8ebcBeXQAWolA
eXcQepYre7CVReE6ZJEmjkvKdvHmoEA7pkd6EJAVTVHsXVVpjPDaZjHAhyMJBgFj
x94ymJ25Xie/Vgd/17ROLddsRZ3aNXR8abFR/FuwCMXZvoPfEEmy0IDTW1Uoq6FG
Vq7ZpA00ehHW5NKImffg
=ZwVm
-----END PGP SIGNATURE-----
0 Likes
Robert_W_Brandt Absent Member.
Absent Member.

Re: Simple LDAP question

ab;2179002 wrote:

Agreed. Getting the data back twice is a nice way to waste bandwidth
and processing, but the end result is that the client has the DN no
matter which attributes are returned. It's impossible to get attributes
without their linkage to some kind of object so getting the DN again is
wasting time.

Trust me I understand, but I am dealing with a third party system that is looking for the DN to be returned via the attributes...
Problem is that Active Directory (I know, I know, not a sane system) is able to do this and I'm getting grief for Novell being an inferior system... (Again I know it is the third party software that is inferior, but that logic is beyond some)

Bob
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Simple LDAP question

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Care to share which product? Most of the time when this has come up
I've pointed people to the LDAPv3 specs. This is not part of that
(RFC-writers aren't dumb) and often that helps the application vendor
realize they are wasting resources and improve their own system by using
what is always there anyway. If not an option there are workarounds of
course... you could setup some kind of attribute mapping to an attribute
in which you populate the DN of the object so that it returns as an
attribute. I have not tested this, and since 'dn' is special I do not
know how well it will work, but it has potential. The downside is now
you get to waste not only bandwidth but disk space (as you duplicate the
DN into the attribute for each desired object) plus you get to do fun
things like manage that attribute's value through creates/renames/moves,
etc. Novell/NetIQ Identity Manager could manage all of that with one
rule but if you do not already have that in place then that's more.

Novell, as part of OES, ships an LDAP-ish interface that is made to be
quirky in the same was as MAD. Have you looked at Domain Services for
Windows (DSfW) to see if it wastes bandwidth like MAD does? I would not
be surprised if it did, and if it does not I can submit a bug on that
for you, but the product has its own forum and is made to emulate all of
the quirks and eccentricities of MAD on an OES box so applications
written by people who do not understand LDAP can still work.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPU9wbAAoJEF+XTK08PnB5lWAP/iX41lVO6+dxBt86hbpNJVi8
q1SV1zFNEIX13vDyk32/oKixUR0oJglrdYwdSEYzsGarzTuiS40WVJRb8/hd5o82
p8Q/JI/PILNeKYm0d54gugQV0+DnNV4L27J0bSNLHFEYZo47yZuqzn+ou/LyQ1QH
tXPQJdnci+fTaZQWniC+NU7Nq5Uu7b/Z3mMolubNHzyt37/ldzcE2cezs1bMU2Er
b63RH0lmBasLg/91jCSQ00v3NEUbVQ1gS3kPV9CwZpVHH03A0vQMzLLe6rgb7oKM
mFQwCVwg2kduwQIILVTzZ4hNzFWBM6zBIHeog0pQr1l8SVYGyPs2+To9F5lN/pN9
x2MKhTGaQEj/8pe/jGFdsJx6/FyArmxB7acAyRQNnPsfK6EXhLIA3tP/6W8hV9+m
+3sQJEXHZcT8CzapJ4pnzHbf+qO8nLsgSmK2cC4ihvw0aOrO3f//+20OyMzPzIof
eMbEijo6/ITZwrcSuAPiP3uzeaWmRXbLH0pjGFarazRiYEMBIJJ5E6IQ6h3IecbR
TJ3qzF4xyPu+PNcMrHv50gWwoxA3jA9uAVV57KqFReYKiVYGzkAbe1EI/ZDeWUPk
WAI8Vlvpc2dbRzyw1499u2A4ANk9fqHMI0IDmTlmlZq2r2We0umDCZOT+nzW/0GF
25MG64WlKYZ2X8DOAevS
=vDle
-----END PGP SIGNATURE-----
0 Likes
Knowledge Partner
Knowledge Partner

Re: Simple LDAP question

On Sun, 04 Mar 2012 13:06:01 +0000, robert w brandt wrote:

> Trust me I understand, but I am dealing with a third party system that
> is looking for the DN to be returned via the attributes...


This system is broken, then, and should be fixed.


> Problem is
> that Active Directory (I know, I know, not a sane system) is able to do
> this and I'm getting grief for Novell being an inferior system...
> (Again I know it is the third party software that is inferior, but that
> logic is beyond some)


DN is never an attribute, even in MAD. There's an attribute, displayName,
that is there, but that's not "dn". What, exactly, is this software
doing, and what exactly is it looking for? There may be a way to kludge
around it.

You might want to get an LDAP trace of it, to see what its actual search
filter and attribute return list is.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Robert_W_Brandt Absent Member.
Absent Member.

Re: Simple LDAP question

ab;2179164 wrote:

Care to share which product?

No problem - A freebie mail server - zarafa

(I would rather go Groupwise, but I don't make these decisions. At least we are moving away from Domino)

dgersic;2179300 wrote:

DN is never an attribute, even in MAD. There's an attribute, displayName,
that is there, but that's not "dn".


There is a hidden attribute in MAD called distinguishedName....

I was hoping there might be a hidden attribute in eDirectory LDAP as well...
Regardless this was the easy option, I think I have another solution to the problem.

Thanks
Bob
0 Likes
Knowledge Partner
Knowledge Partner

Re: Simple LDAP question

On Sun, 04 Mar 2012 13:06:01 +0000, robert w brandt wrote:

> Trust me I understand, but I am dealing with a third party system that
> is looking for the DN to be returned via the attributes...


Try entryDN. That seems to work.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Robert_W_Brandt Absent Member.
Absent Member.

Re: Simple LDAP question

Perfect! That was the answer I was looking for!!

Thanks
Bob
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.