Power By 专否社区

LDAP AD - range attribute, how to use it?

Go To StackoverFlow.com

3

I'm trying to use the range attribute.

For testing, I use a search that without range return 3 entries, and I set the range to 0-1, which should return only the first 2. However, I get all 3 results.

This is how I do it:

String rangeStr = attribute + ";range=0-1";
String returnedAttrs[] = {rangeStr, attribute};
_searchControls.setReturningAttributes(returnedAttrs);
_searchControls.setSearchScope(scope);
NamingEnumeration<SearchResult> answer = _context.search(name, filter, _searchControls);
List<String> result = new LinkedList<String>();
while (answer != null && answer.hasMoreElements())
{
    Attribute currentAttr = answer.next().getAttributes().get(attribute);
    if (currentAttr == null)
        continue;
    for (int i=0; i<currentAttr.size(); i++)
    {
        String val = currentAttr.get(i).toString();
        result.add(val);
    }
}

What am I doing wrong?

I use page size of 1000, but if I understand correctly, that is not supposed to influence the ranged search (given that the page size is larger than the requested range). Is that correct?

2009-06-16 09:57
by Dikla
Is this still a problem for you - serialhobbyist 2009-08-12 17:11
If you have an answer I will be very glad to read it. Thanks - Dikla 2009-08-17 08:34
I don't yet but I didn't want to spend time on it if it wasn't. :-) What framework are you using to access AD - serialhobbyist 2009-08-17 10:59
I access it via java code, which runs on unix machine - Dikla 2009-08-23 21:19
What is 'scope' initialised to? And, for that matter, 'name' and 'filter' - serialhobbyist 2009-08-29 15:10
scope, name and filter are all received from the user. So they can be any legal value. scope is either SearchControls.OBJECTSCOPE, SearchControls.ONELEVELSCOPE or SearchControls.SUBTREE_SCOPE. name is any base DN (should have chosen a better name for this variable), and filter is, well, a search filter - Dikla 2009-09-03 05:12
The 'range' should not be used in new code. The syntax (which is active-directory specific) violates the LDAP standard for attributes, and that alone is reason enough to eschew it. This is a case of Microsoft treating standards as if they were guidelines instead of rules and results in confusion, difficulty of migrating code, and poor programming practices - Terry Gardner 2011-07-26 09:05
Thanks for this comment. So, is there another way to set the range - Dikla 2011-08-03 07:25

5

#!/usr/bin/env python

import ldap

def msad_flatten_ranges(conn, dn, ldap_dict):
  for attrname in ldap_dict:
    if ';range=' in attrname:
      #
      # parse range attr
      #
      actual_attrname, range_stmt = attrname.split(';')
      bound_lower, bound_upper = [
        int(x) for x in range_stmt.split('=')[1].split('-')
      ]

      step = bound_upper - bound_lower + 1
      while True:
        attr_next = '%s;range=%d-%d' % (
          actual_attrname, bound_lower, bound_upper
        )

        dn, attrs = conn.search_s(
          dn, ldap.SCOPE_BASE, attrlist = [attr_next])[0]

        assert len(attrs) == 1

        ret_attrname = attrs.keys()[0]

        ldap_dict[actual_attrname].extend(attrs[ret_attrname])
        if ret_attrname.endswith('-*'):
          break

        bound_lower = bound_upper + 1
        bound_upper += step
2009-11-10 23:01
by Russell Jackson
Ads