LDAP_MATCHING_RULE_DN_WITH_DATA

  • 1.1K Views
  • Last Post 14 February 2019
  • Topic Is Solved
Dima Razbornov posted this 17 March 2016

Hello, AD guys! Can someone tell me an example of the syntax filter LDAP_MATCHING_RULE_DN_WITH_DATA?

Maybe Crisse ;)
I've found this answer and I understand how another OID (LDAP_MATCHING_RULE_TRANSITIVE_EVAL)  is used on this example:

(member:1.2.840.113556.1.4.1941:=(cn=user1,cn=users,DC=x))

LDAP_MATCHING_RULE_TRANSITIVE_EVAL

1.2.840.113556.1.4.1941

So, cool, how I could use LDAP_MATCHING_RULE_DN_WITH_DATA?

I have tried, but my filter doesnt work, and didn't seen detailed description over google-foo skills.

 

Order By: Standard | Newest | Votes
dloder posted this 14 February 2019

The obvious answer to your problem is to change your search base to the OU you need.  That's exactly what it's for.  Otherwise you'll need to do post-processing to remove those you don't want.
-- dloder.blogspot.com --


show

barkills posted this 14 February 2019

You might read

https://ldap.com/basic-ldap-concepts/. Or the book I wrote: LDAP Directories Explained.



 

To answer your question possibly without enough context, scope refers to how “deep” in the directory hierarchy from the base DN a given search will go. Subtree means “go all the way”. Onelevel means “just the immediate children”. Base means

“just the 1 object at the the base DN.”

 

Now that you’ve provided more details, your filter isn’t valid. If you want all groups, under OU=groups,OU=TEST,OU=TEST,DC=dc,DC=local, then you’d issue a search with these parameters:

 

baseDN: OU=groups,OU=TEST,OU=TEST,DC=dc,DC=local

filter: (objectclass=group)

 

Brian

 

show

bonzartu posted this 14 February 2019

Choose scope=subtree, not scope=base nor scope=onelevel.

If that does not result in results from the nested location, then either your search filter is incorrect or the account doing the search doesn’t have permissions to read the objects (or attributes in the filter).

Brian Arkills

As far as i understand scope is for some CLI utilities. And not understand "subtree" of what? Can you print some example, please? It is seems like i not understand what you wrote. In my case i only set filter's part. I just try to describe in another words:

Is this possible to filter with mask? Also, sorry, i was got some mistake in describe, English is not my first language. This variant is true:

baseDN:   DC=dc,DC=local

groups filter:  CN=*,OU=groups,OU=TEST,DC=dc,DC=local

because need to exclude groups which is in another OU, but in the same baseDN:     OU=groups,OU=MyOU,DC=dc,DC=local

It is not possible to change baseDN to appropriate OU because also need to search users which placed at CN=Users,DC=dc,DC=local.

I know that AD not give availability to use asterisk in DN, but may be some extented match rules give?

 

barkills posted this 14 February 2019

Choose scope=subtree, not scope=base nor scope=onelevel.

 

If that does not result in results from the nested location, then either your search filter is incorrect or the account doing the search doesn’t have permissions to read the objects (or attributes in the filter).

 

Brian Arkills

 

show

bonzartu posted this 14 February 2019

This is not the case. That matching rule is for searching on the data side of DN with binary or DN with string attributes in AD. See
https://msdn.microsoft.com/en-us/library/dn393403.aspx?f=255&MSPPError=-2147217396 for more info.
You don’t need to do anything special for your scenario.
Thanks,
Brian Desmond
(w) 312.625.1438 | (c) 312.731.3132

Sorry, i was give bad description. I need to found groups in

"OU=groups,OU=TEST,DC=domain,DC=local", but do not found groups which is in

"OU=groups_old,OU=TEST,DC=domain,DC=local" in case when base DN for connection is

"OU=TEST,DC=domain,DC=local".

 

In this case can i solve it with filter? Is LDAP_MATCHING_RULE_DN_WITH_DATA what i need?

bdesmond posted this 14 February 2019

This is not the case. That matching rule is for searching on the data side of DN with binary or DN with string attributes in AD. See



https://msdn.microsoft.com/en-us/library/dn393403.aspx?f=255&MSPPError=-2147217396 for more info.

 

You don’t need to do anything special for your scenario.

 

Thanks,

Brian Desmond

 

(w) 312.625.1438 | (c) 312.731.3132

 

 

show

bonzartu posted this 14 February 2019

Hello!

Am i right understand that LDAP_MATCHING_RULE_DN_WITH_DATA is good for situation when i need to search groups in some OU, but base DN is at some parent level from this OU.

E.g. need search groups in "OU=groups,OU=TEST,DC=domain,DC=local", but base DN for connection is "OU=TEST,DC=domain,DC=local".

Dima Razbornov posted this 22 March 2016

Something like a usual searcher, but without part of piece of query. I just try to do my best and thinking, how i can use it with lack of information on using this.My initial interest was in whether or not I can specify only part of DN with this weird RULE.

chriss3 posted this 22 March 2016

So what is the purpose and/or the need of using DAPMATCHINGRULEDNWITHDATA, what do you want to achieve?  Enfo ZipperChristoffer Andersson – Principal Advisor

show

Dima Razbornov posted this 22 March 2016

Thanks, my fault! Totally forgot LDP syntax. However, If you dont mind, I was looking for solution with aduc/scripts searches, and intersting that  LDAP RULE.  can I use this filter for such purposes, what do you think?

chriss3 posted this 22 March 2016

The search base must be the configuration nc and being a subtree search. You can’t do this in ADUC. This is how it’s done with ldp.exe
   Enfo ZipperChristoffer Andersson – Principal Advisor

show

  • Liked by
  • Dima Razbornov
Dima Razbornov posted this 22 March 2016

Thaks for your reply, Christoffer ! :)

I didnt have RODC in my lab, but searcher didnt find anything with your query:

chriss3 posted this 21 March 2016

Note for the actual example: If you have RODCs those will of course not host the schema NC as writable and missing out of that bit. This I guess is the whole purpose for “LDAPMATCHINGRULEDNWITHDATA” so you can be able to filter on the data portion and distinct objects who only would differ by the data. InstanceType bits: https://msdn.microsoft.com/en-us/library/cc219986.aspx  Enfo ZipperChristoffer Andersson – Principal Advisor

show

  • Liked by
  • Dima Razbornov
chriss3 posted this 21 March 2016

Hi1.       This requires to be target against a Windows Server 2012 R2 or later DSA2.       This only works for linked attributes, for example the “wellKnownObjects” attribute is DN-Binary but isn’t linked. So this bit is used to search linked-attributes with a syntax of either DN-Binary or DN-String. The query has the following format: (A:1.2.840.113556.1.4.2253:=V) A = the linked attributeV = depends on the syntax of A·         If A is of type “DN-Binary”, V is = https://msdn.microsoft.com/en-us/library/cc223180.aspx
B:charcount:binaryvalue:objectDN·         If A is of type “DN-String”, V is = https://msdn.microsoft.com/en-us/library/cc223178.aspx
S:byte
count:stringvalue:objectDN So you wanted an example. For that we need to find a linked attribute with one of the above syntaxes that existing in AD by default.. Let’s pick “msDS-HasInstantiatedNCs” (Note: This assumes you have at least one Windows Server 2003 DSA, but will you need to have anyway for this bit to work as stated above). OK. So “msDS-HasInstantiatedNCs” is of type DN-Binary where the data (binary) portion contains the instanceType of each NC a DSA hosts, the link itself points to the DN of that NC.This can be represented as “B:8:<InstanceTypeOfNCInHex>:<DNOfNC>” For example “B:8:0000000D:CN=Schema,CN=Configuration,DC=corp,DC=chrisse,DC=com” So running a query against the config partition with a filter of:
(msDS-HasInstantiatedNCs:1.2.840.113556.1.4.2253:=B:8:0000000D:CN=Schema,CN=Configuration,DC=corp,DC=chrisse,DC=com) Will give you a list of all DSAs hosting the schema NC.. something is wired if you don’t get a count back that is equal to the numbers of WIN2K3+ DSAs in your forest… Enfo ZipperChristoffer Andersson – Principal Advisor

show