IBM Security Directory Server, Version 6.3.1

LDAP_SEARCH

Use the LDAP_SEARCH API for carrying out various LDAP search operations.

ldap_search
ldap_search_s
ldap_search_ext
ldap_search_ext_s
ldap_search_st

Synopsis

#include sys/time.h /* for struct timeval definition */
#include ldap.h


int ldap_search(
       LDAP           *ld,
       const char     *base,
       int            scope,
       const char     *filter,
       char           *attrs[],
       int            attrsonly)

int ldap_search_ext( 
       LDAP           *ld,
       const char     *base,
       int            scope,
       const char     *filter,
       char            *attrs[],
       int            attrsonly,
       LDAPControl    **serverctrls,
       LDAPControl    **clientctrls,
       struct timeval *timeout,
       int            sizelimit,
       int            *msgidp)

int ldap_search_s(
       LDAP           *ld,
       const char     *base,
       int            scope,
       const char     *filter,
       char           *attrs[],
       int            attrsonly,
       LDAPMessage    **res)

int ldap_search_ext_s( 
       LDAP           *ld,
       const char     *base,
       int            scope,
       const char     *filter,
       char           *attrs[],
       int            attrsonly,
       LDAPControl    **serverctrls,
       LDAPControl    **clientctrls,
       struct timeval *timeout,
       int            sizelimit,
       LDAPMessage    **res)

int ldap_search_st(
       LDAP           *ld,
       const char     *base,
       int            scope,
       const char     *filter,
       char           *attrs[],
       int            attrsonly,
       struct timeval *timeout,
       LDAPMessage    **res)

Input parameters

ld

Specifies the LDAP pointer that is returned by a previous call to ldap_init(), ldap_ssl_init() or ldap_open().

base

Specifies the DN of the entry the search starts.

scope

Specifies the scope of the search. It can be LDAP_SCOPE_BASE (to search the object itself), or LDAP_SCOPE_ONELEVEL (to search the immediate children of the object), or LDAP_SCOPE_SUBTREE (to search the object and all its descendants).

filter

Specifies a string representation of the filter to apply in the search. Simple filters can be specified as attributetype=attributevalue. More complex filters are specified by using a prefix notation according to the following BNF:

filter ::='('filtercomp')'
filtercomp ::= and|or|not|simple
and ::= '&' filterlist
or ::= '|' filterlist
not ::= '!' filter
filterlist ::= filter|filterfiltertype
simple ::= attributetypefiltertype
attributevalue
filtertype ::= '='|'~='|'='|'='

The '~=' construct is used to specify approximate matching. The representation for attributetype and attributevalue are as described in "RFC 2252, LDAP V3 Attribute Syntax Definitions". In addition, attributevalue can be a single * to achieve an attribute existence test, or can contain text and asterisks ( * ) interspersed to achieve substring matching.

For example, the filter "(mail=*)" finds any entries that have a mail attribute. The filter "(mail=*@student.of.life.edu)" finds any entries that have a mail attribute which ends in the specified string. To put parentheses in a filter, escape them with a backslash ( \ ) character. See "RFC 2254, A String Representation of LDAP Search Filters" for a complete description of allowable filters.

attrs

Specifies a NULL-terminated array of character string attribute types to return from entries that match filter. If NULL is specified, all user attributes are returned.

The attrs parameter consists of an array of attribute type names to be returned for each entry that matches the search filter. By default, a search request returns only user attributes. Operational attributes, for example createtimestamp and modifytimestamp, are returned only when provided in the attrs parameter. The following attributes types that are listed when specified in the attrs parameter have special meaning in LDAP searches and can be combined with other attribute types.

*: Returns all user attributes.
1.1: Specifies to return no attributes and is used to request that a search returns only the matching distinguished names.
+: Returns all operational attributes.
+ibmaci: Returns the access control related operational attributes that exclude those attributes that are expensive to return.
+ibmentry: Returns a core-set of operational attributes that all entries in the directory server contain, such as creatorsName and createTimestamp. This server excludes those attributes that are expensive to return.
+ibmrepl: Returns operational attributes that are related to replication that excludes those attributes that are expensive to return.
+ibmpwdpolicy: Returns operational attributes that are related to password policy that excludes those attributes that are expensive to return.
++: Returns all operational attributes, including those attributes that are considered expensive to return, such as ibm-allGroups and ibm-replicationPendingChanges.
++ibmaci: Returns all access control related operational attributes.
++ibmentry: Returns all operational attributes that every entry contains, such as numsubordinates and ibm-entryChecksum.
++ibmrepl: Returns all operational attributes that are related to replication.
++ibmpwdpolicy: Returns all operational attributes that are related to password policy.

See “the Supported special attributes and associated list of operational attributes table” in IBM Security Directory Server Version 6.3.1 Administration Guide. You can know more about the list of specific attributes the server returns for + and ++ attributes.

Note: Server support for + and ++ is optional, and the list of attributes that returned might not include all operational attributes because of security or performance concerns. A server indicates support for the all operational attributes feature by returning the value 1.3.6.1.4.1.4203.1.5.1 in the supportedfeatures root DSE attribute.

To know more about the syntax and usage of the command-line utilities, idsldapsearch and ldapsearch, see IBM Security Directory Server Version 6.3.1 Command Reference.

attrsonly

Specifies attribute information. The attrsonly parameter must be set to 1 to request attribute types only or set to 0 to request both attribute types and attribute values.

sizelimit

Specifies the maximum number of entries to return. The server can set a lower limit which is enforced at the server.

timeout

The ldap_search_st() API specifies the local search timeout value. The ldap_search_ext() and ldap_search_ext_s() APIs specify both the local search timeout value and the operation time limit that is sent to the server within the search request.

The local search timeout relates to the timeout parameter address that is passed to the API, such as ldap_search_st and ldap_search_ext. The local search timeout structure has two member variables, long int tv_sec and long int tv_usec.

long int tv_sec - Represents elapsed time in seconds.
long int tv_usec - Represents the rest of elapsed time in microseconds.

Since the timeout value for local search timeout is tv_sec + tv_usec, if tv_sec is 0 then the timeout value is in microseconds.

The operation timeout limit relates to the value set in the LDAP handle, ld, by using calls to ldap_set_option (ld, LDAP_OPT_TIMELIMIT, value_in_seconds).

serverctrls

Specifies a list of LDAP server controls. This parameter can be set to NULL. For more information about server controls, see LDAP controls.

clientctrls

Specifies a list of LDAP client controls. This parameter can be set to NULL. For more information about client controls, see LDAP controls.

Output parameters

res: Contains the result of the asynchronous operation that is identified by msgid, or returned directly from ldap_search_s() or ldap_search_ext_s(). This result is passed to the LDAP parsing routines. See LDAP_RESULT.
msgidp: This result parameter is set to the message ID of the request if the ldap_search_ext() call succeeds.

Usage

These routines are used to run LDAP search operations.

The ldap_search_ext() API initiates an asynchronous search operation and returns the constant LDAP_SUCCESS if the request was successfully sent, or another LDAP error code if not.

If successful, ldap_search_ext() places the message ID of the request in *msgidp. Use a subsequent call to ldap_result() to obtain the results from the search.

Similar to ldap_search_ext(), the ldap_search() API initiates an asynchronous search operation and returns the message ID of this operation. If an error occurs, ldap_search() returns -1, setting the session error in the LD structure, which can be obtained by using ldap_get_errno(). If successful, use a subsequent call to ldap_result() to obtain the results from the search.

The synchronous ldap_search_ext_s(), ldap_search_s(), and ldap_search_st() functions all return the result of the operation: either the constant LDAP_SUCCESS if the operation was successful or an LDAP error code if the operation was not successful. For more information about possible errors and how to interpret them, see LDAP_ERROR. If any entries are returned from the search, they are contained in the res parameter. This parameter is opaque to the caller. Entries, attributes, values, and others, must be extracted by calling the result parsing routines. The memory that is allocated for res must be freed when no longer in use, whether the operation was successful, by calling ldap_msgfree().

The ldap_search_ext() and ldap_search_ext_s() APIs support LDAP V3 server controls and client controls, and allow varying size and time limits to be easily specified for each search operation. The ldap_search_st() API is identical to ldap_search_s(), except that it requires an additional parameter that specifies a local timeout for the search.

There are three options in the session handle ld which potentially can affect how the search is run. They are:

LDAP_OPT_SIZELIMIT: A limit on the number of entries that are returned from the search. 0 means no limit. The value from the session handle is ignored when you use the ldap_search_ext() or ldap_search_ext_s() functions.
LDAP_OPT_TIMELIMIT: A limit on the number of seconds to spend on the search. Zero means no limit.
Note: The value from the session handle is ignored when you use the ldap_search_ext() or ldap_search_ext_s() functions.
LDAP_OPT_DEREF: One of LDAP_DEREF_NEVER (0x00), LDAP_DEREF_SEARCHING (0x01), LDAP_DEREF_FINDING (0x02), or LDAP_DEREF_ALWAYS (0x03), specifying how aliases must be handled during the search. The LDAP_DEREF_SEARCHING value means that aliases must be dereferenced during the search but not when you locate the base object of the search. The LDAP_DEREF_FINDING value means that aliases must be dereferenced when you locate the base object but not during the search.

These options are set and queried by using the ldap_set_option() and ldap_get_option() APIs.

Reading an entry: LDAP does not support a read operation directly. Instead, this operation is emulated by a search with base set to the DN of the entry to read, scope that is set to LDAP_SCOPE_BASE, and filter that is set to "(objectclass=*)". The attrs parameter optionally contains the list of attributes to return.

Listing the children of an entry: LDAP does not support a list operation directly. Instead, this operation is emulated by a search with base set to the DN of the list entry, scope set to LDAP_SCOPE_ONELEVEL, and filter that is set to "(objectclass=*)". The attrs parameter optionally contains the list of attributes to return for each child entry. If only the distinguished names of child entries are wanted, the attrs parameter must specify a NULL-terminated array of one-character strings that has the value dn.

Errors

ldap_search_s(), ldap_search_ext_s, and ldap_search_st() return the LDAP error code from the search operation.

ldap_search() and ldap_search_ext() return -1 instead of a valid msgid if an error occurs, setting the session error in the LD structure. The session error can be obtained by using ldap_get_errno().

For more information, see LDAP_ERROR.

Notes

These routines allocate storage that is returned by the res parameter. Use ldap_msgfree() to free this storage.