Hi all, I’m a C++ dev who is adding support for Samba in one of the products of the company I work for. I’m pretty new to the LDAP world, and I feel a bit lost. I am trying to make a query to a samba server using a filter. The filter should be “get me the users that are not computers”, and I’m trying to have the same query for both MS AD and Samba LDAP. The original filter is: (&(objectClass=user)(!(objectClass=computer))) If I remove the negated part about computer and change user with person it works well, but as soon as I try to use something in the negated —the second— part, it fails if it’s not in the schema for objectClass. So, this filter works: (&(objectClass=person)(!(objectClass=device))) But if I write “foobar" instead of “device", it returns an empty set My questions are: - Can I avoid getting an empty set if “computer” is not part of the objectClass schema? - I’ve seen that the objectClass “person” and “device” are listed in the RFC 2256 7.7 and 7.15. Can I assume that the Samba LDAP servers will be configured using these two values to identify persons and devices? or for each installation the admin usually modifies these? This is the command I use to test the filters (not to build and test the product every time), modulo private data: ldapsearch -h 10.2.2.222 -p 389 -D 'UID=Administrator,CN=users,DC=company,DC=ch' -b ‘DC=company,DC=ch' -w supersecret -x '(&(objectClass=person)(!(objectClass=device)))’ Thank you very much in advance, and sorry if this is too boring or trivial, Juan Garcia
El 04/04/17 a les 16:17, Juan García-Pardo via samba ha escrit:>The filter should be “get me the users that are not computers”Try this: http://www.selfadsi.org/extended-ad/search-user-accounts.htm Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
Hi Luca, thank you very much for the tip. I’ve tried to run it with the filter the web page suggests and I got an empty set. I took a look at one of the user objects and I couldn’t see any samAccountType there.> On 04 Apr 2017, at 19:54, Luca Olivetti via samba <samba at lists.samba.org> wrote: > > El 04/04/17 a les 16:17, Juan García-Pardo via samba ha escrit: >> The filter should be “get me the users that are not computers” > > Try this: > > http://www.selfadsi.org/extended-ad/search-user-accounts.htmIn fact I couldn’t see any samAccountType even in the attribute types. The closest thing I saw was a sambaSamAccount, as value of objectClass. Also I couldn’t find any objectCategory attribute. The web page mentions that one way to get the users would be to use the filter "(&(objectClass=user)(objectCategory=person))”, but that filter returns an empty set. And also by just using “(objectClass=user)” I get the same results. What I am doing now is retrieving the subschema for the objectClasses and looking for the existence of either user or person, and then using whichever was found for the filter (the same for computer and device). I might be doing something wrong, can you point me to the mistake?> > Bye > -- > Luca Olivetti > Wetron Automation Technology http://www.wetron.es/ > Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaThank you very much, Juan Garcia
On 4/4/2017 10:17 AM, Juan García-Pardo via samba wrote:> Hi all, > I’m a C++ dev who is adding support for Samba in one of the products of the company I work for. I’m pretty new to the LDAP world, and I feel a bit lost. > I am trying to make a query to a samba server using a filter. The filter should be “get me the users that are not computers”, and I’m trying to have the same query for both MS AD and Samba LDAP. The original filter is: > (&(objectClass=user)(!(objectClass=computer))) > If I remove the negated part about computer and change user with person it works well, but as soon as I try to use something in the negated —the second— part, it fails if it’s not in the schema for objectClass. So, this filter works: > (&(objectClass=person)(!(objectClass=device))) > But if I write “foobar" instead of “device", it returns an empty set > My questions are: > - Can I avoid getting an empty set if “computer” is not part of the objectClass schema? > - I’ve seen that the objectClass “person” and “device” are listed in the RFC 2256 7.7 and 7.15. Can I assume that the Samba LDAP servers will be configured using these two values to identify persons and devices? or for each installation the admin usually modifies these? > > This is the command I use to test the filters (not to build and test the product every time), modulo private data: > ldapsearch -h 10.2.2.222 -p 389 -D 'UID=Administrator,CN=users,DC=company,DC=ch' -b ‘DC=company,DC=ch' -w supersecret -x '(&(objectClass=person)(!(objectClass=device)))’ > > Thank you very much in advance, and sorry if this is too boring or trivial, > > Juan Garcia > >What about (objectCategory=Person)(objectClass=User). This link may also be helpful. -- -- James