my dog learned polymorphism*
The moose likes Security and the fly likes LDAP question on syntax in search filter Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "LDAP question on syntax in search filter" Watch "LDAP question on syntax in search filter" New topic
Author

LDAP question on syntax in search filter

Melinda Savoy
Ranch Hand

Joined: Jun 21, 2005
Posts: 386

This is my first attempt in trying to query our LDAP server for AD info. When I am trying to query the LDAP server here is what I'm trying to retrieve:

I am trying to retrieve all active employees with a countlimit of 500 records whose displayname starts with "sav", has an email address and has a userAccountControl attribute of 512. The problem I'm encountering is that I'm only getting back 8 records total. I should literally be getting back at least 35+ records.

I'm sure I've done something wrong in my syntax but I cannot find what it is. Any HELP/DIRECTION would be appreciated.

After googling I've defined the SEARCH FILTER as:



Please see my complete method below:



Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

I would suggest looking at the 8 records you did get and the others that you expected to get but didn't get, and try to see what's the difference between the two sets. It could be something as obscure as trailing blanks in one of the attributes.

You could also remove the call to "setCountLimit" to see if that's limiting what you get back. Perhaps the count limit applies to the total count before the search filter is applied? Yes, I know that's a wild guess and I haven't read the API docs and so on...
Melinda Savoy
Ranch Hand

Joined: Jun 21, 2005
Posts: 386

Paul,

I should only be getting back 10 records and I got 8. I looked at the 2 that were different and did not come back and they each had an email address and each had a userAccountControl value of 512. I did not notice ANY trailing or leading white spaces.

If there were any, how can I trim them in my search filter? Thanks again for your help and time in responding. Regards.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

The possible reasons for the LDAP thing ignoring some records which you think should be included aren't limited to rogue whitespace. There could be others. I have no idea what they might be, though, that's why I suggested you look at the ignored records.

If you don't see anything different (even after you look at the attributes which you didn't think you were selecting) then try different queries which you think should select a certain subset of records and see what happens. Try making a query with some of the criteria removed from your original query, or with different criteria added and see if you get what you think you should get.
Melinda Savoy
Ranch Hand

Joined: Jun 21, 2005
Posts: 386

Paul, thanks for all the help. I downloaded a free AD tool to view all in AD that I needed and it showed me that the data was not the problem but I was just not hitting all the OU's that I needed because there is NOT just 1 OU where all our users are stored.

Consequently, after googling some more I found a page on the Oracle site regarding LDAP and I changed my LDAPContext to DirContext for my connection to do searches within the directory as well as using this context's REFERRAL and set the value to "follow" to avoid the PartialSearchException.

I thought I'd post my findings just in case some other newbie ran into the same issue.

If you see a downside to the changes I made please let me know. Regards.

Here is my corrected connection method that I did not include above:



Please see my corrected method below:

 
Don't get me started about those stupid light bulbs.
 
subject: LDAP question on syntax in search filter
 
Similar Threads
JNDI : Binding to an Active Directory Global Catalog with auser froma trusted Domain
LDAP: error
LDAP and NamingEnumeration
Change Ldap Password
Query for "ACTIVE" users in LDAP server NOT working