I have searched on this topic, but all I find are filters that return entries where a certain attribute is not present, like:
(!(manager=*))
However, I want to find entries where the attribute is present, but has a null value (i.e. an empty/blank string). Can I do this using an LDAP filter, and if so, how?
EDIT:
Just to confirm, the above filter finds entries without the attribute, but not where the attribute is empty (null string).
Is this dependent on the LDAP implementation or what?
This question is related to
ldap
The schema definition for an attribute determines whether an attribute must have a value. If the manager attribute in the example given is the attribute defined in RFC4524 with OID 0.9.2342.19200300.100.1.10, then that attribute has DN syntax. DN syntax is a sequence of relative distinguished names and must not be empty. The filter given in the example is used to cause the LDAP directory server to return only entries that do not have a manager attribute to the LDAP client in the search result.
Semantically there is no difference between these cases in LDAP.
I needed to do a query to get me all groups with a managedBy value set (not empty) and this gave some nice results:
(!(!managedBy=*))
Search for a null value by using \00
For example:
ldapsearch -D cn=admin -w pass -s sub -b ou=users,dc=acme 'manager=\00' uid manager
Make sure if you use the null value on the command line to use quotes around it to prevent the OS shell from sending a null character to LDAP. For example, this won't work:
ldapsearch -D cn=admin -w pass -s sub -b ou=users,dc=acme manager=\00 uid manager
There are various sites that reference this, along with other special characters. Example:
This article http://technet.microsoft.com/en-us/library/ee198810.aspx led me to the solution. The only change is the placement of the exclamation mark.
(!manager=*)
It seems to be working just as wanted.
Source: Stackoverflow.com