Yeah, they didn't list every possible character in that
article, only a few of them that you *always* have to escape. A space can make
it through fine as long as it isn't the intial character (or characters) as the
API call trims the string of initial whitespace. The funny thing about that is
that I previously bugged a problem where they *don't* trim the whitespace on the
end of a query so if you have something like "FALSE " for a boolean value, it
will fail. The response from MS when I bugged it was that to them, they have to
treat a space as any normal character and can't do anything special with it.
When I pointed out that they did it for spaces in front of something else they
didn't respond. I think I might try to reopen that bug and push it some more.
Anyway, they sort of cover that case with line under the
chart "In addition, arbitrary binary data may be
represented using the escape sequence syntax by encoding each byte of binary
data with the backslash followed by two hexadecimal digits.". Since any
data you send for a string could be handled as binary data A=65,a=97, etc they
covered themselves. There are actually some fun issues around this that I have
seen several companies run into when writing queries to find home drives on
servers with names that start with A-F. I actually bugged that as well because I
think it is handled incorrectly but that is another story.
As an FYI, I did bug the ADUC issues with the query
generation for the custom filter for Users and Contacts as well as the issue
with the space. The filters absolutely aren't right and ADUC should produce them
correctly. Recall that ADUC is simply someone's interpretation of how AD should
be represented in GUI form. Things in there and things it produces can not be
looked at as being the definition of correct. What it does could be correct, but
it could just as easily be incorrect as well. One generally hopes for it to be
more correct than not.
Dean explained what happens with objectcategory. I will
give an explicit example of how to show that is happening and how user truly
isn't valid as an objectcategory.
First to see it happening, use the STATS control and do any
query of objectcategory=user, or any objectcategory=anyldapdisplayname, you will
see the resulting query will look like
C:\WINDOWS\ADAM>adfind -default -f
objectcategory=user -stats+only
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED])
February 2006
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
Statistics
=================================
Elapsed Time: 171 (ms)
Returned 7142 entries of 7160 visited - (99.75%)
=================================
Elapsed Time: 171 (ms)
Returned 7142 entries of 7160 visited - (99.75%)
Used
Filter:
(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
Used
Indices:
idx_objectCategory:4660:N
idx_objectCategory:4660:N
Analysis
---------------------------------
Hit Rate of 99.75% is Efficient
Indices
used:
Index
Name : idx_objectCategory
Record Count: 4660 (estimate)
Index Type : Normal Attribute Index
Record Count: 4660 (estimate)
Index Type : Normal Attribute Index
Filter Breakdown:
(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
Now try a
query of
objectcategory=cn=user,CN=Schema,CN=Configuration,DC=joe,DC=com
That same
lookup on defaultObjectCategory doesn't occur because it assumes since you
specified an actual DN (the proper format) you know exactly what you want....
C:\WINDOWS\ADAM>adfind -default -f
objectcategory=CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com
-stats+only
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED])
February 2006
Using
server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
Statistics
=================================
Elapsed Time: 0 (ms)
WARN: If this is pre-SP1 Windows Server 2003, there is a bug for entries visited/returned
Returned 0 entries of 0 visited - (0.00%)
=================================
Elapsed Time: 0 (ms)
WARN: If this is pre-SP1 Windows Server 2003, there is a bug for entries visited/returned
Returned 0 entries of 0 visited - (0.00%)
Used
Filter:
(objectCategory=CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com)
(objectCategory=CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com)
Used
Indices:
idx_objectCategory:0:N
idx_objectCategory:0:N
Analysis
---------------------------------
Hit Rate of 0.00% is Inefficient
Indices
used:
Index Name
: idx_objectCategory
Record Count: 0 (estimate)
Index Type : Normal Attribute Index
Record Count: 0 (estimate)
Index Type : Normal Attribute Index
Filter Breakdown:
(objectCategory=CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com)
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sitton Glen E
Sent: Wednesday, February 08, 2006 1:06 PM
To: [email protected]
Subject: RE: [ActiveDir] DSQUERY filter for space character only
Thanks Joe. I did use that MSDN article before I posted, but it didn't list the escape
sequence for the space character. Knowing what I know now, I probably
should have pieced it together considering that %20 is the space character
in a URL.
Interesting that 'user' is not a valid
objectcategory. When I had ADUC create the query for me, it automatically
generated the filter that included objectCategory=user. New Query / Custom Search /
then Display Name Is Exactly (space character).
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, February 07, 2006 5:39 PM
To: [email protected]
Subject: RE: [ActiveDir] DSQUERY filter for space character only
The tricky piece here is the space, the displayname=\20
mechanism would work as well as the very cute little query Dean posted of
displayname<=!. Check out http://msdn.microsoft.com/library/default.asp?url="">.
It talks a little about constructing queries.
The other thing that stuck out to me appears to have stuck
out to you is the fact that everyone was using objectcategory=user. The user
class isn't a valid objectcategory. Luckily AD figures that out for you and
changes the query to objectcategory=person. However, that may not be the query
the OP wanted because that will return matching users and contacts.
Since displayname is indexed, you could probably get away
with the query (&(objectclass=user)(displayname=\20)). The tried and true
test would be to submit that query up against
(&(objectcategory=person)(objectclass=user)(displayname=\20)) or even
(&(sAMAccountType=805306368)(displayname=\20)) with the STATS control and
see what indexes get used, I would expect displayName
generally.
I just did a trace and took a peek and the displayname=" "
doesn't even get to the server, the client dumps it as a bad query before
then.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Aragon
Sent: Tuesday, February 07, 2006 2:19 PM
To: [email protected]
Subject: RE: [ActiveDir] DSQUERY filter for space character only
Have you tried:
(&(objectCategory=Person)(objClass=User)(displayName=\\
))
David Aragon
Your ability to perceive a solution is
limited
only by your understanding of the problem
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sitton Glen E
Sent: Tuesday, February 07, 2006 9:17 AM
To: [email protected]
Subject: [ActiveDir] DSQUERY filter for space character onlyI need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax.When ADUC builds the ldap query itself, it fails:(&(objectCategory=user)(displayName= ))The query filter ... is not a valid query string.I've tried:" "' '%20+and escaping it with a \ or a ^Any ideas?Thanks in advance,- Glen
