LDAP search base DN not working

Question

I'm trying to perform an LDAP search into many different OUs that are located at the root of the directory.

Context initialization:

Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_CREDENTIALS, "somePassword");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_PRINCIPAL, "MYDOMAIN\\\\myUsername");
env.put(Context.PROVIDER_URL, "ldap://myLdapServer:389");
searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
ctx = new InitialDirContext(env);

So for searching an user I call

ctx.search("OU=OrgUnitOne,DC=mysite,DC=com", "(sAMAccountName=someUserName)", searchControls)

or

ctx.search("OU=OrgUnitTwo,DC=mysite,DC=com", "(sAMAccountName=someUserName)", searchControls)

and either works fine. But since I want to search into all of OUs in the root of DA, I have to use another baseDN for the search, which I've failed to find. I've tried the following but none seems to work...

Without OU:

ctx.search("DC=mysite,DC=com", "(sAMAccountName=someUserName)", searchControls)
//output:
//javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=mysite,DC=com'

Empty searchBase string:

ctx.search("", "(sAMAccountName=someUserName)", searchControls)
//output:
//javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:'']; remaining name ''

Desperate wildcard *

ctx.search("OU=\*,DC=mysite,DC=com", "(sAMAccountName=someUserName)", searchControls)
//output:
//javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:'DC=mysite,DC=com']; remaining name 'OU=*,DC=mysite,DC=com'

Desperate wildcard %

ctx.search("OU=%,DC=mysite,DC=com", "(sAMAccountName=someUserName)", searchControls)
//output:
//javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:'DC=mysite,DC=com']; remaining name 'OU=%,DC=mysite,DC=com'

Desperate OR operator |

ctx.search("OU=OrgUnitOne|OrgUnitTwo,DC=mysite,DC=com", "(sAMAccountName=someUserName)", searchControls)
//output:
//javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:'DC=mysite,DC=com'];    

remaining name 'OU=OrgUnitOne|OrgUnitTwo,DC=mysite,DC=com'

Is there a way to achieve this search over all the root OUs?

Answer 1

This works for me:

Hashtable<String, String> ldapEnv = new Hashtable<String, String>(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL,  "ldap://ldapHost");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PRINCIPAL, "CN=Administrator,CN=Users,DC=domain,DC=com");
ldapEnv.put(Context.SECURITY_CREDENTIALS, "secret");
ldapContext = new InitialDirContext(ldapEnv);
// Create the search controls         
SearchControls searchCtls = new SearchControls();
// Specify the attributes to return
String returnedAtts[]={"sn","givenName", "samAccountName"};
searchCtls.setReturningAttributes(returnedAtts);
// Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
// specify the LDAP search filter
String searchFilter = "(&(samAccountName=userName))";
// Specify the Base for the search
String searchBase = "dc=domain,dc=com";
// initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration<SearchResult> answer = ldapContext.search(searchBase, searchFilter, searchCtls);
// Loop through the search results
while (answer.hasMoreElements()) {
    SearchResult sr = (SearchResult)answer.next();
    totalResults++;
    System.out.println(">>>" + sr.getName());
    Attributes attrs = sr.getAttributes();
    System.out.println(">>>>>>" + attrs.get("samAccountName"));       
}
System.out.println("Total results: " + totalResults);
ldapContext.close();

Answer 2

Construct a search request using the desired base object, a search scope of sub, a filter that restricts the entries returned to just the entries desired, and a list of requested attributes. Using the UnboundID LDAP SDK:

SearchRequest req = new SearchRequest("dc=mysite,dc=com",
       SearchScope.SUB,"samAccountName=someUserName","1.1");
SearchResult searchResult = ldapConnection.search(req);

This search will return all of the entries (1.1 means return no attributes, replace this with the list of attributes desired) in which the samAccounName attribute contains the value "someUserName" (matching of the values is performed using matching rules) if the server permits. In some cases, the server administrators may not permit this search because it traverses the entire directory server database. Also, the connection's authorization state must permit the examination of the samAccountName. Note that a search can be successful (result code SUCCESS, integer 0) but no entries returned.

• The is no "or" operator for distinguished names.
• There is no "wildcard" operator in distinguished names