ldapsearch failing to show results from custom field

Question

Why does this ldapsearch command shows nothing:

/usr/bin/ldapsearch -x -LLL -h ldapmaster.corpintra.net -b ou=people,ou=Mars,ou=Eng,dc=corpintra,dc=net '(ifxAccStatus=unlocked)' uid ifxAccStatus

The following command returns a bunch of results showing that I have people with the field ifxAccStatus=unlocked or ifxAccStatus=locked:

/usr/bin/ldapsearch -x -LLL -h ldapmaster.corpintra.net -b ou=people,ou=Mars,ou=Eng,dc=corpintra,dc=net '(ifxAccStatus=*)' uid ifxAccStatus

How can only list users with ifxAccStatus=unlocked?

Thanks, Oz

Could you please show us the output of second command and the logs on the LDAP server when running the first command? — quanta, Aug 03 '12 at 15:13
@quanta, I would do it gladly, however the first command shows no output. — oz123, Aug 03 '12 at 15:14

score 0 · Accepted Answer · answered Feb 02 '13 at 10:53

You probably have an incomplete schema definition -- it's not sufficient to just define your attribute SYNTAX (e.g. directoryString or IA5String OID), this does not define any implicit matching rules (comparison operations). You need to do that explicitly with EQUALITY and (if appropriate) SUBSTR, for example:

attributetype ( 1.3.6.1.4.1.xxxxx.1.2.3
    NAME     'ifxAccStatus'
    DESC     'account lock status'
    SYNTAX   1.3.6.1.4.1.1466.115.121.1.26    
    SINGLE-VALUE
    EQUALITY caseIgnoreIA5Match
    SUBSTR   caseIgnoreIA5SubstringsMatch
    USAGE    userApplications
)

Similarly, there will be no implicit ordering rules, this would need to be specified too if you need to order the results (e.g. caseIgnoreOrderingMatch), though this usually doesn't cause as many problems as missing equality and substring operations.

ldapsearch failing to show results from custom field

1 Answers1