Sturgis, Grant wrote:
Greetings,
I'm having some confusion trying to integrate an Oracle product with our
AD infrastructure, and I think it's coming down to allowable characters.
When I do something like this:
ldapsearch -x -D cn=nobody,ou=Users-IT,dc=domain,dc=com -w password -h
dc.domain.com -s sub -b 'ou=Users-Active,dc=domain,dc=com'
"(objectClass=group)"
I get a list of groups in that OU and the attributes of those groups,
including members. Because the cn of our users are Last, First - that
is how they are listed, but with a backslash presumably escaping the
comma, like this:
member: CN=Sturgis\, Grant,OU=Users-Active,DC=domain,DC=com
What I really want to do, is an AND query for group and member, and I
would guess it should be like this:
ldapsearch -x -D cn=nobody,ou=Users-IT,dc=domain,dc=com -w password -h
dc.domain.com -s sub -b 'ou=Users-Active,dc=domain,dc=com'
"(&(objectclass=group)(member=CN=Sturgis\,
Grant,OU=Users-Active,DC=domain,DC=com))"
The result is:
ldapsearch: ldap_search_ext: Bad search filter (-7)
I've noticed that if I change the cn by removing the comma, then
changing the query to:
ldapsearch -x -D cn=nobody,ou=Users-IT,dc=domain,dc=com -w password -h
dc.domain.com -s sub -b 'ou=Users-Active,dc=domain,dc=com'
"(&(objectclass=group)(member=CN=Sturgis
Grant,OU=Users-Active,DC=domain,DC=com))"
It works fine.
Any comments on commas and backslash escaped commas? Are these illegal
LDAP characters or known problems? Any other words of advice?
No need to escape comas in filters. It's allowed. In fact, the only
characters you need to escape are 0x00, '(', ')', '*' and escape (0x27).
For any character above 0x7F, there is no problem. If you want to use
one of the forbidden chars, just type \XX, where XX are the hex value of
the escaped char.
Everything is described in detail in RFC 4515
(http://www.rfc-editor.org/rfc/rfc4515.txt)
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
