Bad filter in Active Directory: (!company=mycompany)

2008-10-24 Thread A. Farber 
Hello,

I've written a short script to prepend "ext-" to mail addresses
of all external colleagues in Microsoft Active Directory:

filter  => '(&(objectCategory=Person)(objectClass=User))',

$mail = "ext-$mail"
if $entry->get_value('company') !~ /mycompany/i
&& $mail !~ /^ext-/;

For better performance I'd like to move
the company test to the search filter:

filter  =>
'(&(objectCategory=Person)(objectClass=User)(!company=mycompany))',

Unfortunately it fails with: Bad filter at 

If I remove "!" it works ok. If I try that filter with dsquery:

dsquery * domainroot -filter "(&(objectCategory=Person)
(objectClass=User)(!company=mycompany))

- then it works too. Has anybody seen the same problem?

Thank you
Alex


PS: Here is my entire script:

#!/usr/bin/perl -wT

use strict;
use Net::LDAPS;

$ENV{PATH} = '/bin:/usr/bin';

use constant ROOTDN   => 'OU=Imported,OU=User
Accounts,DC=mycompany,DC=com';
use constant DOMAIN   => 'mycompany.com';
use constant SERVER   => ['wdc01.' . DOMAIN, 'wdc02.' . DOMAIN];
use constant ADMIN=> 'Admin';
use constant ADMPW=> 'X';

my ($rot13, $ldap, $search, $mod, $href);

($rot13 = ADMPW) =~ y/A-Za-z/N-ZA-Mn-za-m/;
$ldap = Net::LDAPS->new(SERVER) or
die('Can not connect to LDAP server');
$ldap->bind(ADMIN . '@' . DOMAIN, password => $rot13) or
die('Can not bind to LDAP server as ' . ADMIN);

$search = $ldap->search(
base=> ROOTDN,
attrs   => [qw(company mail givenName sn)],
filter  => '(&(objectCategory=Person)(objectClass=User)(!
company=mycompany))',
);
$search->code() && die $search->error();

foreach my $entry ($search->entries()) {
my $mail = lc $entry->get_value('mail');

# prepend "ext-" if not "mycompany" and "ext-" isn't there yet
$mail = "ext-$mail"
 if $entry->get_value('company') !~ /mycompany/i
  && $mail !~ /^ext-/;

$mod = $ldap->modify($entry, replace => { mail => $mail });
$mod->code() && die 'Failed to modify user: ' . $mod->error();

printf "%-15s %-15s %-15s %s\n",
$entry->get_value('company'),
$entry->get_value('givenName'),
$entry->get_value('sn'),
$mail;
}

$ldap->unbind();

Re: Bad filter in Active Directory: (!company=mycompany)

2008-10-24 Thread Dieter Kluenter 
"A. Farber" <[EMAIL PROTECTED]> writes:

> Hello,
>
> I've written a short script to prepend "ext-" to mail addresses
> of all external colleagues in Microsoft Active Directory:
>
> filter  => '(&(objectCategory=Person)(objectClass=User))',
> 
> $mail = "ext-$mail"
> if $entry->get_value('company') !~ /mycompany/i
> && $mail !~ /^ext-/;
>
> For better performance I'd like to move
> the company test to the search filter:
>
> filter  =>
> '(&(objectCategory=Person)(objectClass=User)(!company=mycompany))',
>
> Unfortunately it fails with: Bad filter at 
>
> If I remove "!" it works ok. If I try that filter with dsquery:
>
> dsquery * domainroot -filter "(&(objectCategory=Person)
> (objectClass=User)(!company=mycompany))

Your filter is wrong, ((objectclass=user)(!(company=mycompany)))
RFC-4515, section 3 and 4.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E

Re: Bad filter in Active Directory: (!company=mycompany)

2008-10-24 Thread Graham Barr 

On Oct 23, 2008, at 9:49 AM, A. Farber wrote:


If I remove "!" it works ok. If I try that filter with dsquery:

dsquery * domainroot -filter "(&(objectCategory=Person)
(objectClass=User)(!company=mycompany))

- then it works too. Has anybody seen the same problem?


dsquery is being lenient here. For the filter to be cirrect the test  
you are trying to ! must also be inside ()'s


  "(&(objectCategory=Person)(objectClass=User)(!(company=mycompany)))"

Graham.