Thursday, March 26, 2009

LDAP, uidNumber and ordering

Agh, another day, another LDAP thing that makes me unhappy.

Since cracking the trick to getting a unique uidNumber (see yesterday's installment the system has really come along well. I can actually add users now, from the web interface and all. Such modern luxuries!

In fact, I've added quite a lot of users. Now I want to remove my test ones. I know the uidNumber of the last real user I added, so it should be easy to get all users with a higher uidNumber than that, and delete them. Easy, right?

Wrong!

You see, I read the RFC and thought since it says you can do >= to match all integers greater-or-equal, I could actually do that. So I did this:


ldapsearch -L -x '(uidNumber>=10220)'


And the response I got was:
# search result
Additional information: inappropriate matching request

Hmmm... so time to check the schema, in case uidNumber isn't defined as a number... but it is:


# builtin
#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
# DESC 'An integer uniquely identifying a user in an administrative domain'
# EQUALITY integerMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


Yes, 1.3.6.1.4.1.1466.115.121.1.27 is INTEGER.

Turns out the issue is a lack of ORDERING clause - so I can do an equals-match on a uidNumber, but nothing that involves ordering. Some bright sparks have modified the nis.schema like this:


attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
DESC 'An integer uniquely identifying a user in an administrative domain'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


and it's all just worked for them. However, sadly for me, this attribute type is now built in to openLDAP, so modifying my nis.schema to add the ORDERING clause and un-comment those lines defining the attribute get me a slapd that refuses to start due to a duplicate attribute definition.

*sigh*

The solution appears to be to add another attribute of one's own that is basically a duplicate of uidNumber, but with an ORDERING rule added. Yeesh!

Or if you prefer some unix hackery:

ldapsearch -LLL -x '(objectClass=posixaccount)' | awk -F: '$1 ~ /dn/ {printf("%s ",$2)}; $1 ~ /uidNumber/ {printf("%s\n",$2)}' | sort -nk2 | awk '$2 > 10214 {print $1}' | ldapdelete -x -W -D 'uid=pyarra,ou=People,dc=example,dc=com,dc=au'


There might be a better way than this :-)

No comments:

Post a Comment

Post a Comment