Comparing LDAP Attributes

Question

Comparing LDAP Attributes

I would like to filter for all LDAP objects where CN does not match sAMAccountName. Therefore, I wrote the following query, which, unfortunately, does not work and does not meet the RFC requirements:

(!(cn=sAMAccountName))

Does anyone know how to achieve the desired functionality?

Regards, Thomas

+6

comparison attributes ldap

Thomas May 19 '11 at 10:05

source share

3 answers

Terry gardner · Answer 1 · 2012-08-03T14:41:12+0000

(!(cn=sAMAccountName)) is "RFC-compliant" because the right side of the statement is taken as the value of the cn attribute.

Using this filter will return all entries in the search response where the cn attribute value is present, and the matching rule for cn returns false for the case-insensitive samaccountname (provided that the matching attribute rule cn not been changed from the published standard). Results will be subject to:

server expiration date
Server size limit
server access control

Perhaps you wanted to use

cn=value-of-samaccount-name

Nic · Answer 2 · 2013-07-05T16:27:29+0000

If you are in a Windows environment, you can use the PowerShell expression language for this.

 Get-ADUser -Filter * -Server my.domain.name -Properties CN | Where-Object {$_.CN -ne $_.sAMAccountName}

This is a pretty expensive request because it returns every single object for PowerShell to process, but it works.

Jiri klouda · Answer 3 · 2016-02-26T00:04:05+0000

LDAP filters do not allow you to use the value of another attribute to compare filters. You must select a record and compare both values.

Comparing LDAP Attributes

More articles: