LDAP filter for blank empty attribute

Question

I have searched on this topic  but all I find are filters that return entries where a certain attribute is not present  like      manager       However  I want to find entries where the attribute is present  but has a null value  i e  an empty blank string   Can I do this using an LDAP filter  and if so  how   EDIT   Just to confirm  the above filter finds entries without the attribute  but not where the attribute is empty  null string    Is this dependent on the LDAP implementation or what

User · Answer

This article http   technet microsoft com en-us library ee198810 aspx led me to the solution  The only change is the placement of the exclamation mark     manager      It seems to be working just as wanted

User · Answer

Search for a null value by using  00  For example   ldapsearch -D cn admin -w pass -s sub -b ou users dc acme  manager  00  uid manager   Make sure if you use the null value on the command line to use quotes around it to prevent the OS shell from sending a null character to LDAP   For example  this won t work    ldapsearch -D cn admin -w pass -s sub -b ou users dc acme manager  00 uid manager   There are various sites that reference this  along with other special characters   Example    http   www ldapexplorer com en manual 109010000-ldap-filter-syntax htm http   msdn microsoft com en-us library windows desktop aa746475 28v vs 85 29 aspx

User · Answer

From LDAP  there is not a query method to determine an empty string   The best practice would be to scrub your data inputs to LDAP as an empty or null value in LDAP is no value at all   To determine this you would need to query for all with a value  manager    and then use code to determine the ones that were a  space  or null value   And as Terry said  storing an empty or null value in an attribute of DN syntax is wrong   Some LDAP server implementations will not permit entering a DN where the DN entry does not exist   Perhaps  you could  if your DN s are consistent  use something like     amp    manager cn    manager       This should return any value of manager where there was a value for manager and it did not start with  cn    However  some LDAP implementations will not allow sub-string searches on DN syntax attributes   -jim

User · Answer

I needed to do a query to get me all groups with a managedBy value set  not empty  and this gave some nice results       managedBy

User · Answer

The schema definition for an attribute determines whether an attribute must have a value  If the manager attribute in the example given is the attribute defined in RFC4524 with OID 0 9 2342 19200300 100 1 10  then that attribute has DN syntax  DN syntax is a sequence of relative distinguished names and must not be empty  The filter given in the example is used to cause the LDAP directory server to return only entries that do not have a manager attribute to the LDAP client in the search result

User · Answer

Semantically there is no difference between these cases in LDAP

[ldap] LDAP filter for blank (empty) attribute

Examples related to ldap