Perl Net::LDAP filter not working

1
votes

I'm using perl-ldap to search and modify LDAP directories.

Everything works fine except for when I try to search a group based on its "uniqueMember" attribute, whose value is a dn (e.g., cn=exuser,ou=people,dc=example,dc=com).

This would seem to make the filter string for a search based on a group member 

uniqueMember=cn=exuser,ou=people,dc=example,dc=com

But that doesn't work.

Neither does "escaping" the equals in the string, so that the resultant string when printed looks like it has its equals signs escaped. And the Net::LDAP::Filter object doesn't have great documentation, so I'm not sure how to create one besides just passing the filter strings I've been using in the first place (which also doesn't work).

Any suggestions?

I should add that I'm certain the problem is with the search not returning results - the resulting Search object has 0 count.

I can't show the exact code, but it is something like this (only literals have been changed):

my $filter = "uniqueMember=cn=exuser,ou=people,dc=example,dc=com";

my $result = $ldap->search( base => 'ou=groups,dc=example,dc=com',
                            filter => $filter);
while(my $entry = $result->pop_entry)
{ ....
....
}

Connection and binding to the LDAP server has been done in a subroutine, which works. I'm certain about the names of the organizational unit as well as the format of the uniqueMember values. For the $filter string, I have tried escaping the equals signs once (\=) and twice (\\\\=). I have tried using Net::LDAP::Filter->new($filter) - although my understanding is that it takes a filter string like the one in the code, so this hasn't been very helpful.

What is the correct way to format this filter string?

2
perlldapnet-library
Show your Perl code, the description in English is not sufficient. - I always use the gq browser to aid LDAP debugging.daxim
Have you tried using a different version. This query may work if the server is 2.x compatible. version => N Set the protocol version being used (default is LDAPv3). This is useful if you want to talk to an old server and therefore have to use LDAPv2.ZnArK

2 Answers

1
votes

Try the following debug statements to see what the final filter looks like

my $filter_str = "uniqueMember=cn=exuser,ou=people,dc=example,dc=com";
my $filter = Net::LDAP::Filter->new( $filter_str );

print $filter->as_string();

Also, Try using wildcards, like so:

#my $filter = "uniqueMember=cn=exuser,ou=people,dc=example,dc=com";
my $filter = "uniqueMember=*exuser*";

Also, your base is pointing at ou=groups instead of ou=people like your filter. That alone may be causing issues since there may not be any users with those attributes in the "groups" ou.

#my $result = $ldap->search( base => 'ou=groups,dc=example,dc=com',
my $result = $ldap->search( base => 'ou=people,dc=example,dc=com',
                        filter => $filter);
while(my $entry = $result->pop_entry)
{ ....
  ....
}
0
votes

Does this work with the command line LDAP tools? It seems like it's a problem with the LDAP query rather than with Net::LDAP.

I'm not very good with the LDAP syntax, but I thought it'd be something like

(&(group=uniqueMember)(cn=exuser)(ou=people)(dc=example)(dc=com))

You could also try setting up the filter with Net::LDAP::Filter and see what it parses it to.