LDAP Search wildcard not working

Question

I am trying to search my LDAP directory and I am unable to search with substring filters when the value is a set of attributes and values.

Scenario: In my python script, I am able to search the LDAP server. Therefore, I will omit code regarding the connection, DN configuration amongst others and focus on the Filter.

Filter1: (works)

'(&(objectClass=person)(managedObjects=CN=SKSOBHEE-MOBL,OU=Mobile,OU=Production,OU=Windows 7,OU=IT Client,OU=Resources,DC=emea,DC=xx,DC=yy,DC=com)(objectClass=organizationalPerson)(objectClass=user))'

Filter2: (fails)

'(&(objectClass=person)(managedObjects=CN=SKSOBHEE-MOBL*)(objectClass=organizationalPerson)(objectClass=user))'

Searching with Filter1 returns a user but fails with Filter2 when I use the substring.

Searching is done using:

l.search_s(BASE_DN, SCOPE, Filter1, Attrs)

I would appreciate some help on this!

Thank you.

It is "substring", not "wildcard". LDAP filters do not use wildcards. Does `managedObjects` have a substring matching rule? Most DN syntax attributes do not use a substring rule when matching DNs. — Terry Gardner, Nov 13 '13 at 15:26
Thanks for the response. How can I know if an attribute has a matching rule? I am using `LDAP Admin for Windows` to visually see the tree. — Shailen, Nov 13 '13 at 15:29
The attribute syntax definition for `managedObjects` should contain the attribute syntax and all the matching and ordering rules. If there is no substring matching rule, then substrings will not work in the filter. — Terry Gardner, Nov 13 '13 at 15:30
Using LDAP Admin's Schema Viewer, I have details about the `managedObjects` attribute. Link: http://s14.postimg.org/utfu3swip/pscreen.png . I see that the `Substring` subattribute is empty. Is that the reason why I cannot use wildcards? — Shailen, Nov 13 '13 at 15:35
If I am understanding that image, yes is the answer to your question. For equality filters, there must be an equality match, for substring filters, a substring match, etc. In this case, it's `substring`. — Terry Gardner, Nov 13 '13 at 16:34
This question should not be put on hold: the answer is an important piece of LDAP daily working knowledge. — Terry Gardner, Nov 13 '13 at 16:46

Terry Gardner · Answer 1 · 2013-11-20T15:28:15.603

Instead of wildcard, use substring instead when asking about these types of filters.

When a substring filter is used, a substring matching rule must be defined for the attribute used in the filter. For equality filters, there must be an equality match, for substring filters, a substring match, etc.

Here is an example of an attribute definition of name with an equality and a substring rule:

attributeTypes: ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}
  X-ORIGIN 'RFC 4519' )

If a matching rule is not included for the type of filter, the search won't work as you might think.

LDAP Search wildcard not working

1 Answers1

see also