LDAP filter for blank (empty) attribute

Question

I have searched on this topic, but all I find are filters that return entries where a certain attribute is not present, like:

(!(manager=*))

However, I want to find entries where the attribute is present, but has a null value (i.e. an empty/blank string). Can I do this using an LDAP filter, and if so, how?

EDIT:

Just to confirm, the above filter finds entries without the attribute, but not where the attribute is empty (null string).

Is this dependent on the LDAP implementation or what?

jwilleke · Accepted Answer · 2013-01-22T11:46:23.680

28

From LDAP, there is not a query method to determine an empty string.

The best practice would be to scrub your data inputs to LDAP as an empty or null value in LDAP is no value at all.

To determine this you would need to query for all with a value (manager=*) and then use code to determine the ones that were a "space" or null value.

And as Terry said, storing an empty or null value in an attribute of DN syntax is wrong.

Some LDAP server implementations will not permit entering a DN where the DN entry does not exist.

Perhaps, you could, if your DN's are consistent, use something like:

(&(!(manager=cn*))(manager=*))

This should return any value of manager where there was a value for manager and it did not start with "cn".

However, some LDAP implementations will not allow sub-string searches on DN syntax attributes.

-jim

edited Jan 22 '13 at 11:46

answered Jan 22 '13 at 11:39

jwilleke

10,467
1
30
51

1

Somehow everyone seemed to get sidetracked on schema and such issues; my question was whether there is a way to *filter* such entries, and you came closest to answering that by telling me that I would have to, in my client code, filter out such entries, which is what I feared, but which I suppose is right. Accepted, thanks. – mydoghasworms Jan 22 '13 at 18:45
2

There is no sidetrack: the schema plays a role in determining which types of filters can be used. Assertions are dependent on the type of the attribute, it's syntax, and its ordering and matching rules. This is how assertions work. – Terry Gardner Nov 14 '13 at 19:55

score 9 · Answer 2 · answered Jun 20 '13 at 19:09

Search for a null value by using \00

For example:

ldapsearch -D cn=admin -w pass -s sub -b ou=users,dc=acme 'manager=\00' uid manager

Make sure if you use the null value on the command line to use quotes around it to prevent the OS shell from sending a null character to LDAP. For example, this won't work:

 ldapsearch -D cn=admin -w pass -s sub -b ou=users,dc=acme manager=\00 uid manager

There are various sites that reference this, along with other special characters. Example:

This doesn't seem to work in Powershell, with the RSAT activedirectory module. This feature may be a happy accident of the `ldapsearch` implementation you're using. — jpaugh, Jul 28 '17 at 22:56

score 9 · Answer 3 · edited Apr 15 '19 at 01:24

9

This article http://technet.microsoft.com/en-us/library/ee198810.aspx led me to the solution. The only change is the placement of the exclamation mark.

(!manager=*)

It seems to be working just as wanted.

edited Apr 15 '19 at 01:24

user207421

305,947
44
307
483

answered Dec 12 '14 at 13:29

dved

99
1
2

2

ldap_search_ext: Bad search filter (-7) – Ignacio Pérez Sep 29 '16 at 08:21
The recent edit conflicted with the author's intent, and resulted in the post merely reiterating what the OP already had. However the original answer, which I have restored, is invalid syntax, and the linked article is incorrect, except apparently in the case of MS Active Directory, which is already known to be rather non-compliant with the LDAP RFCs.. – user207421 Apr 15 '19 at 01:26

score 3 · Answer 4 · answered Jan 21 '13 at 22:41

3

Semantically there is no difference between these cases in LDAP.

answered Jan 21 '13 at 22:41

user207421

305,947
44
307
483

You would think so, yet I cannot use the above filter to select such entities! (i.e. where the attribute is present but blank). – mydoghasworms Jan 22 '13 at 05:02
Just to confirm, it allows me to find entries without the attribute, but not where the attribute is empty (null string). – mydoghasworms Jan 22 '13 at 05:44
@mydoghasworms You've missed my point entirely. You are making a distinction without a difference. – user207421 Apr 15 '19 at 01:23

score 3 · Answer 5 · edited Jun 28 '19 at 17:17

3

I needed to do a query to get me all groups with a managedBy value set (not empty) and this gave some nice results:

(!(!managedBy=*))

edited Jun 28 '19 at 17:17

Frost10000

21
8

answered Dec 12 '13 at 17:00

user3096378

39
1

1

This is the opposite answer. – Ignacio Pérez Sep 29 '16 at 08:22
It is also invalid syntax. – user207421 Apr 15 '19 at 01:21

score 2 · Answer 6 · edited Oct 07 '21 at 06:09

The schema definition for an attribute determines whether an attribute must have a value. If the manager attribute in the example given is the attribute defined in RFC4524 with OID 0.9.2342.19200300.100.1.10, then that attribute has DN syntax. DN syntax is a sequence of relative distinguished names and must not be empty. The filter given in the example is used to cause the LDAP directory server to return only entries that do not have a manager attribute to the LDAP client in the search result.

LDAP filter for blank (empty) attribute

6 Answers6