LDAP search for multiple complete DNs?

0
votes

Assume I have an array of N DNs (distinguished names), e.g.:

cn=foo,dc=capmon,dc=lan
cn=bar,dc=capmon,dc=lan
cn=Fred Flintstone,ou=CapMon,dc=capmon,dc=lan
cn=Clark Kent,ou=yada,ou=whatnot,dc=capmon,dc=lan

They are not related and I cannot reduce/simplify the search. I have N complete DNs and want N records.

Can I write a single LDAP search that will return exactly N records, one for each DN? The assumption being that performance of both client and server will be better if I do it all in one search. Had it been SQL, it would be:

SELECT * 
FROM dc=capmon,dc=lan 
WHERE dn IN (
    "cn=foo,dc=capmon,dc=lan",
    "cn=bar,dc=capmon,dc=lan",
    "cn=Fred Flintstone,ou=CapMon,dc=capmon,dc=lan",
    "cn=Clark Kent,ou=yada,ou=whatnot,dc=capmon,dc=lan"
)

rather than doing individual LDAP searches in a for loop (which I do know how to do).

I tried against an MS Active Directory. There, all fields (seem to) have a distinguishedName attribute, and a search filter like this works (I added some newlines for readability):

(|
  (distinguishedName=cn=ppolicy,dc=capmon,dc=lan)
  (distinguishedName=cn=Users,dc=capmon,dc=lan)
  <more ORed terms>
)

But this doesn't work:

(|
  (dn=cn=ppolicy,dc=capmon,dc=lan)
  (dn=cn=Users,dc=capmon,dc=lan)
  <more ORed terms>
)

even though the returned records look like they contain dn attributes. :-(

An OpenLDAP server's records don't have distinguishedName attributes, and neither of the filters above work against it.

Can I do something that will work against most major LDAP servers?

1
ldapldap-query
You don't need to write a search at all. You can access each DN directly.user207421
Yeah, thats what you wrote here also.... But I still don't know to "access a DN directly" without ldapsearch using ldap-utils or with Perl's Net::LDAP. How is that done, given N DNs? And can I access several DNs "directly" in one "access" PDU?Peter V. Mørch
If you're asking about the OpenLDAP utilities you're off-topic, although I'm sure there is one that meets the case here.user207421
I really still don't understand. How can I be off-topic when I'm the OP asking the question? Can you mention a tool that can "access each DN directly" against a standard LDAP database? Then I could perhaps use that tool. I'm not trying to be stubborn here, I just honestly don't know how to go about "access each DN directly".Peter V. Mørch
It's off-topic unless it's a question about computer programming. Have a look through all the OpenLDAP utilities. You will find it.user207421

1 Answers

1
votes

It's not possible to "Read" several entries in a single operation. You can do a single search operation that will match and return several entries, but you cannot search on the "DN" itself.

I've seen several applications that are trying to get several entries by using complex filters such as "(|(cn=foo)(cn=bar)(cn=Fred Flintstone))", but this may result in more entries, unless all CN values are unique. It's not really a good practice either, as there are limits in the number of elements you can have in the filter, and such requests are usually not optimized in term of I/O.

It will be faster to read each invidual entry, as LDAP servers are optimized for such operations. If you want to reduce the latency, you can issue multiple asynchronous search operations on the same connection.