1

After asking this question, I had an LDAP query that looked like this:

(&(cn=*)(networkAddress=*)(objectClass=user))

However, if a user has multiple cn's, they are returned multiple times. Is there a way to stop this happening?

Community
  • 1
Harley
  • 2,187
  • 6
  • 25
  • 29
  • it's quite a hack, but can you use a ! to omit the rows you don't want? – resonator Jul 22 '09 at 05:54
  • do you mean if an user has cn=joe and cn=joe2 attributes at the same time you receive the same DN two times as the result? – asdmin Jul 22 '09 at 08:36
  • Yes, sort of. I'm using python so if I have a user with {'cn': ['joe', 'joe2']}, I'll get that user twice. Both results have the full CN list. – Harley Jul 22 '09 at 21:36

3 Answers3

2

Because CN in many schema implementations is multi valued, and not guarenteed to be unqiue the general rule is to use an attribute that is single valued and supposed to be unique, like uid.

In Active Directory, for a single domain you could rely on sAMAccountName, but not if there is more than one domain in the tree/forest. You might be able to rely on userPrincipalName, which is usually structured as sAMAccountName@domain.Name but unlike sAMAccountName, there is no validation that this is actually a unique value.

Experimentally I have noticed (ok, I made some typos) that UPN can be just about any value and there is no enforcement.

geoffc
  • 2,165
  • 5
  • 25
  • 40
  • The uniqueness enforcement of `userPrincipalName` may have changes since 2012: https://blogs.technet.microsoft.com/389thoughts/2017/02/03/uniqueness-requirements-for-attributes-and-objects-in-active-directory/ – Juraj Martinka Apr 19 '19 at 07:52
0

That sounds like the correct result to me...

What happens if you use a tool like ldapsearch?

benc
  • 683
  • 1
  • 5
  • 13
0

I don't know anything about python data types, but couldn't you just catch the output in object and then check whether it is an array or just string. if its array just take first record if its a string take it directly.

I mean that's how I handle group membership related queries for users in vbscript.

KAPes
  • 994
  • 4
  • 12