LDAP Search – Conditional Attributes

Conditional Attributes allow the user to define the value that is returned based on a true or false conditional statement that is assessed for each object returned by the query. The condition comprises of two variables and a logic operator, and two results. The variables and results can be based on an attributes or static entries.

A Conditional Attribute has the following Syntax:

<Attribute>;{if:<Variable1>[;DataType] <Op> <Variable2>:<True Result>:<False Result>}{;DecodeType}

Attribute -The name that the value will be returned against, the name will displayed as if it's an attribute of the object.
Variable1, Variable2 - These are values that will be compared, these can be attributes of the object or static value. Attributes are referenced by specifying the name of the attribute. For Static values, encapsulate the value in quote marks.  A wildcard character * can be used in a static value for Variable2, to find the value anywhere in the value returned by the attribute i.e. "*disable"

Op - Defines the logical operator used to compare the two variables:

== Equal
!= Not Equal
>= Greater or equal
<= Less or equal
> Greater than
< Less than

DataTypes - defines if the variable needs to be converted into a different format before the comparison is completed, if the DataType is only provided for one variable then both variables are converted to the specific DataType.
The following DataTypes are supported:

Int - Convert the variable to an Integer
Date - Convert the variable to a Date
Len - Returns the length of the variable, if the DataType of the other variable is not specified then Int DataType is assumed

True Result The value that will be returned if the condition is true
False Result The value that will be returned if the condition is false
The result values can also be attributes or static values and use the same formatting as the variables

DecodeType - This is used to convert the output using the DecodeTypes.  See Decode Types

Examples:

Updated;{if:usnchanged!=usncreated:"Updated":"Unchanged"}
Active;{if:useraccountcontrol=="*disable":"False":"True"}
LogonTime;{if:lastlogon;date>lastlogontimestamp:lastlogon:lastlogontimestamp}

Both the Variables and Results can use any of the filter substitution options, in this case they must be defined as static entries, i.e. encapsulated in quote marks. See Substitutions

LDAP Search Substitution

NetTools supports a number of Inline substitution options, that enables different data types to be entered in a user friendly formats, without the need to remember complicated data formats.  These can be used in the filter to simplify filter entry or convert data format for attribute updates with Update Queries.  

There are two types of substitutions available, data converters, and matching rule converters.

Data Converters

Data converters have the following format {<type>:[data]}

-1: int64 const of -1 e.g. (pwdlastset={-1:}) which will be replaced with 9223372036854775807
sid: object sid e.g. (objectsid={sid: S-1-5-21-3499964120-3315823391-1593708255-164234})
guid: object guids e.g. (objectguid={guid:00AD5B16-8E22-49D5-B83A-BFDEA6DFF7DE})
oid: oid identifiers e.g. (omobjectclass={oid:1.3.12.2.1011.28.0.702})
ip: IP address in windows order e.g. (ipaddress={ip:10.12.45.254})
ipn: IP address in network order e.g. (ipaddress={ipn:10.12.45.254})
hex: hexadecimal value e.g. (&(objectclass=group)(grouptype={hex:0x8000002}))
userinput: request user input e.g. {userinput:Date} responses are cached against the label, if the same label is used again the cached response is used
unicode: return the specified string as escape hex string {unicode:new}
idate: 64bit Time e.g. (lastlogontimestamp={idate:31/12/2011})
zdate: Generalized Time Format e.g. (whencreated={zdate:30/12/2011})
sdate: returns the date in dd/mm/yyyy format, when used in conjunction with Now constant
sdatetime: returns the date in dd/mm/yyyy hh:mm:ss format, when used in conjunction with Now constant
anr: Create an ANR filter based on the input string e.g. {anr:john smith}
-1: A static replacement with 9223372036854775807, e.g. (accountexpires={-1:})

zdate, idate, sdate, and sdatetime types also support the 'Now' constant, and can be used with with optional plus and minus days.
e.g. {zdate:now}, {zdate:now-365}, {idate:now+5}, {sdate:now}

Nesting is supported on a number of the substitutions to convert from one format to another or converting a user input e.g  {idate:i{usernput:enter date}}

Matching Rules Converters

Matching rule converters use a single character as a substitute for the matching rule OIDs for LDAP filters, these are |  & % $

|= is the Or bit logic operator e.g. (!useraccountcontrol |= 2)  - expands to (!useraccountcontrol:1.2.840.113556.1.4.802:=2)

&= is the And bit logic operator e.g. (useraccountcontrol &= 2)  - expands to (useraccountcontrol:1.2.840.113556.1.4.803:=2)

%= is the chain operator e.g. (memberof %= (cn=Group1,OU=groupsOU,DC=test,DC=com)) - expands to (memberof:1.2.840.113556.1.4.1941:= (cn=Group1,OU=groupsOU,DC=test,DC=com))

$= is the DN-Binary or DN-String search e.g. (msDS-HasInstantiatedNCs$=B:8:0000000D:CN=Configuration,DC=corp) - expands to (msDS-HasInstantiatedNCs:1.2.840.113556.1.4.2253:=B:8:0000000D:CN=Configuration,DC=corp)