Forgive me if I am missing something as I haven't followed all of the notes of this chain but I happened to peruse this one and noticed what appears to be you relying on an undocumented implementation specific symptom. I.E. If you do something one way you get one result in a certain order, if you do it by reordering terms in the search another way it returns in another order.
This is amost always very bad to do because slight code changes that you are completely out of the loop on that you probably never will be aware of could change that ordering at any time and whatever it is you are doing could be adversely impacted. That is if it works consistently ALL of the time in the first place which is very difficult for you to predict based on a couple of results from probably one client and one server. The only time you rely on ordering of a return set is if you are *forcing* it into a certain order say with a sort control or you wrote the code that does the lookup and returns the set. I was working with someone in another company recently who was doing something fairly similar to this. He also depended on the order of the objects being returned on an indexed attribute and the way the query was built it *appeared* a certain type of result would occur each time due to the backend implementation. He wanted to rely on that functionality to which I replied the same thing as above. After doing some heavy testing he actually started seeing that the appearance of what was happening didn't always hold up and had he implemented what he *thought* was going on he would have had a very nasty bug in his code that would have been extremely troublesome to troubleshoot at best. Unless you can find documentation from Microsoft that says that that order based on that query is guaranteed to be the result each and every time and through code revs you are relying on a very dangerous thing. If what you are doing isn't very important and you can live with incorrect results generated from order getting out of sync from what you expect, go ahead. But have good logging so you can find it when later on you realize something isn't quite right. The general rule is don't depend on something you infer about the implementation from symptoms you have seen for anything important. Have documentation saying that what you are doing is the way it is supposed to it and always will be or alternatively be the coder responsible for the implementation you are depending on. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Forsyth Sent: Wednesday, December 15, 2004 6:02 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Sequence LDAP query Sorry, I haven't met anyone on this list yet (except Steve Schofield who introduced me to the list). I've looked up your website and it looks like you have a great soluton. Too bad I didn't know about it a few months ago when researching which Spam solution to go with. I've figured it out. In fact it took just a simple test. The simple OR command against an indexed column actually works in order. If I run the following two tests: (|([EMAIL PROTECTED])([EMAIL PROTECTED])) (|([EMAIL PROTECTED])([EMAIL PROTECTED])) The first filter one will return the record for scott@ and the 2nd will return the record for nobody@ So, it actually searches in order starting from the end. This is exactly what I was looking for. Originally I assumed that it would just search all the records and the first that met either criteria would be returned so depending on what order it was entered into AD, I would get a different result. I assume for non-indexed fields, that might be the case because it would search them all one by one. But in the case of an indexed field, it sounds like MS/LDAP jumps right to the index, starting with the end of the query and moving forward. (mail is an indexed attribute) So, I believe I've overcome the last obstacle and am ready to finish implimenting. Thanks again! I'll start to work with AD a lot in the near future so I might start to hang out in this newsgroup now and may see more of you in the future. Scott Forsyth Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 15, 2004 4:47 PM Subject: RE: [ActiveDir] Sequence LDAP query Sorry, Scott. But at this point, I will have to take the fifth :) I compete with Barracuda. Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Scott Forsyth Sent: Wed 12/15/2004 12:52 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Sequence LDAP query Thanks to all of you for your replies. Sure, I'll explain more. I tried to keep it brief the first time so it didn't scare anyone off. :) I have a Barracuda Spam filter (www.barracudanetworks.com) and use iMail server on the mail end. (www.ipswitch.com). I've created a script that places all the iMail users and aliases into AD since the LDAP feature of iMail doesn't work with the number of users that we have. I need to be able to do is enable the LDAP feature on the Barracuda to query AD to see if an email address (either alias or POP account) is valid, and if it is valid it will find out the parent POP account and place any spam in the quarantine box for the POP accounts. The goal is that if there are multiple aliases pointing to a single POP account, there is only 1 quarantine box for all of them. This part I can do. Now, what I also need to be able to do is handle a catch-all email alias. (called a 'nobody' in iMail terms). In iMail, there is an alias called 'nobody' and it's always checked last in the order of operations, but if an alias doesn't exist and a POP account doesn't exist, then iMail will check for the nobody account to determine if it should sending to a catch-all account to reject the message. I need to be able to accomplish the same with the Barracuda. Barracuda support tells me that it isn't possible so my last option to make this happen is to use LDAP to overcome their short coming. The barracuda has the following fields: - LDAP username - LDAP password - LDAP Filter - LDAP Search Base So, really the only field that allows me any control is the LDAP Filter. If I could have a filter like Al suggested like this: (&(objectClass=user)(objectCategory=Person)(|([EMAIL PROTECTED])(mail=no [EMAIL PROTECTED]))) but be sure that it will only check for the [EMAIL PROTECTED] if it couldn't find [EMAIL PROTECTED] I don't want to use the nobody account if there is a valid user or alias. But, I don't have any programming options. This has to all take place in the LDAP Filter field. The Sequence, <final> <last> LDAP commands seemed to me like a promising lead but I don't know LDAP except for what I've learned in the last few days. Thanks again! Scott Forsyth Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 15, 2004 12:14 PM Subject: RE: [ActiveDir] Sequence LDAP query Apparently, I missed [1] the important disclaimer that says you're limited in your options. What client tool are you referring to? If you have nothing against vbscript, then here is a functional script that you can use for what you've described. You just need to modify the "DC=blahblah" and the "instr()" part. Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCOmmand.ActiveConnection = objConnection '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' ''''''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''''''''''''''''Search for Users ''''''''''''''''''''''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' ''''''''''''''''''''''''''''''''''' ''''We use this to limit our searches to User accounts only 'uncomment all the lines below On Error Resume Next objCommand.CommandText = _ "Select cn,mail,distinguishedName from 'LDAP://DC=myDomain,DC=com'" objCommand.Properties("Page Size") = 1000 objCommand.Properties("Timeout") = 30 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE objCommand.Properties("Cache Results") = False Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF objemailAddy = objRecordSet.Fields("mail").Value objDN = objRecordSet.Fields("distinguishedName").Value objCN = objRecordSet.Fields("cn").Value If instr(lcase(objemailAddy), "[EMAIL PROTECTED]") > 0 Then Wscript.Echo objemailAddy & vbTab & objCN & vbTab & objDN ElseIf instr(lcase(objemailAddy), "[EMAIL PROTECTED]") > 0 Then Wscript.Echo objemailAddy & vbTab & objCN & vbTab & objDN End If objRecordset.MoveNext Loop Set objCOmmand.ActiveConnection = Nothing Set objCommand = Nothing Set objRecordSet = Nothing Set objConnection = Nothing [1]Oh, by the way, Al, you can stop laughing now ;) Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Deji Akomolafe Sent: Wed 12/15/2004 8:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Sequence LDAP query This is just a pseudo-code....... objCommand.CommandText = "Select mail from 'LDAP://DC=Domain,DC=com'" Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF objemailAddy = objRecordSet.Fields("mail").Value If instr(lcase(objemailAddy), "[EMAIL PROTECTED]") > 0 Then Dosomething ElseIf instr(lcase(objemailAddy), "[EMAIL PROTECTED]") > 0 Then Dosomething End If objRecordset.MoveNext Loop ........ Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Scott Forsyth Sent: Tue 12/14/2004 10:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Sequence LDAP query Hi all, I've subscribed to this list for this question so forgive me if this is something recently covered. I'm trying to do an LDAP query that appears to be uncommon. LDAP is new to me in the last few days so I'm starting from the ground up. Basically I need a filter something like this: (if [EMAIL PROTECTED] elseif [EMAIL PROTECTED]) In other words, it shouldn't check to see if [EMAIL PROTECTED] unless it has already checked [EMAIL PROTECTED] I'll explain the same thing a different way. If [EMAIL PROTECTED] exists, it needs to get that object from AD. But, if [EMAIL PROTECTED] doesn't exist, then check again and see if [EMAIL PROTECTED] exists. I hope I explained this well enough. I'm limited with the client tool to just a search filter field. I don't have any programming options. I've found a link that gives me hope that it is possible: http://www.packetizer.com/rfc/rfc.cgi?num=1558 Note the SEQUENCE OF CHOICE, initial, any and final. That sounds like what I'm looking for. I just don't know how to format the filter. My current filter that works but doesn't do the 2nd part looks like this: (mail=${recipient_email}) Is this possible with LDAP? Thanks, Scott Forsyth Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support --- [This E-mail scanned for viruses by Declude Virus] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
