Re: Groups are not accessible by filter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



@William Brown 

Thank you for the clarification. Same thing was writing in the second mail of this mail chain . I was missing the use case UniqueGroup(…).filter().

What about bellow filters . Can we use filter here also .

topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(& (| (nsRoleDN=cn=new managed role) (sn=Hall)) (l=sunnyvale))', ['cn', 'cn', 'cn'])
topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(& (| (nsRoleDN=cn=new managed role) (sn=Hall)) (l=sunnyvale))', ['*', 'cn'])

And This one .

topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,"testUserAccountControl:1.2.840.113556.1.4.804:=16777216",['attrlist=cn:sn:uid:testUserAccountControl'])

Regards
Anuj Borah




On Mon, Apr 29, 2019 at 7:38 AM William Brown <wbrown@xxxxxxx> wrote:


> On 29 Apr 2019, at 11:53, Anuj Borah <aborah@xxxxxxxxxx> wrote:
>
> @William Brown

> The space did not make any difference . Look at bellow result .
>
> (Pdb) i
> '(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)'
> (Pdb) Accounts(topo.standalone, DEFAULT_SUFFIX).filter(i)

^ Because you are using the wrong class.

Filter will wrap your call because you are filtering over the set of Accounts, not “generic searching”. If you want to search a group OfUniqueNames, you need:

UniqueGroup(…).filter().

Have a look at _mapped_object.py in def filter and youll see it does:

    def filter(self, search):
        # This will yield and & filter for objectClass with as many terms as needed.
        search_filter = _gen_and([self._get_objectclass_filter(),search])

IE, your search of “uniqueMember=…” is then inserted such that:

(&(objectClass=groupOfUniqueNames)(uniqueMember=…))

Because you are using Accounts, this is doing:

(&(|(objectClass=nsAccount)(objectClass=person)…) (uniqueMember=…))

Which of course won’t find anything in a group, because Accounts are not Groups.


So in fact, lib389 is doing exactly the right thing here, by saying “no, your search is not safe or sane, so you don’t get any results”. Lib389 is designed to prevent you making mistakes, and so will error or do nothing in the cases where something is wrong, rather than allow a corruption or odd behaviour to occur.





Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs

_______________________________________________
389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux