ldifde search AD for specific attribute only

[ohaya]

Hi,

I'm using ldifde to try to search AD for all instances of a specific
attribute ("certificateRevocationList").

The machine with AD also had MS Certificate Server installed, and that
attribute appears in a number of places (under "Configuration"), but the
problem is that when I do the search, I getting back a bunch of "empty"
entries that don't contain that attribute.

Is there a parameter to suppress such "empty" entries from returning?

I've also looked into using a filter ("-r"), but:

- the various objects that have the attribute don't have a
distinguishing objectClass (for example, one has objectClass
"crlDistributionPoint", and another has "certificationAuthority").
- I was hoping that I could at least use an "OR", but it looks like you
can't use an "OR" in a filter in ldifde?

Does anyone have any ideas of how I could do this? I just want the
entries that actually have the "certificateRevocationList" attribute to
be returned.

Thanks in advance,
Jim

 

[Wayne Tilton]

Hi,

I'm using ldifde to try to search AD for all instances of a specific
attribute ("certificateRevocationList").

The machine with AD also had MS Certificate Server installed, and that
attribute appears in a number of places (under "Configuration"), but the
problem is that when I do the search, I getting back a bunch of "empty"
entries that don't contain that attribute.

Is there a parameter to suppress such "empty" entries from returning?

I've also looked into using a filter ("-r"), but:

- the various objects that have the attribute don't have a
distinguishing objectClass (for example, one has objectClass
"crlDistributionPoint", and another has "certificationAuthority").
- I was hoping that I could at least use an "OR", but it looks like you
can't use an "OR" in a filter in ldifde?

Does anyone have any ideas of how I could do this? I just want the
entries that actually have the "certificateRevocationList" attribute to
be returned.

Thanks in advance,
Jim

ldifde -f crlobjects.ldf -d CN=configuration,DC=your,DC=com -r
certificateRevocationList=*

Will give you an LDIF file with all objects that have a CRL (one line, it
will wrap).

You can use OR (|) in LDIFDE, although in this case you don't need to
since you want all objects that have the attribute set. If you wanted to
restrict that to crlDistributionPoint OR certificationAuthority objects,
the filter would be (will wrap really badly!):

(&(|(objectClass=crlDistributionPoint)
(objectClass=certificationAuthority))(certificateRevocationList=*))

HTH,

Wayne Tilton

 

[Richard Mueller]

Hi,

try:

(certificateRevocationList=*)

This should return all objects with any value assigned to the attribute, but
not null. To OR two clauses use the "|" operator. For more on ADO searches
see this link:

http://www.rlmueller.net/ADOSearchTips.htm

 

[ohaya]

Hi Wayne and Richard,

Thanks for your help with this. It works!

Jim

 

[Joe Richards [MVP]]

I just want to point out that unless you have indexed objectclass you probably
want to use objectcategory in the query instead because it will be far more
efficient. In a smaller environment it may not matter, in a larger environment
it will probably save you from an LDAP timeout.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm