I was looking at a metaverse object in MIIS today noticed some admin had set the mail attribute to a single SPACE ( ) character. The Metaverse is stored in a SQL server, so naturally the query structure is different than any constraints of LDAP.
I wanted to discover how many other user objects had the same issue, so I decided to pull out ADfind and issue this command:
ADFIND -H MYSERVER -DEFAULT -F “(&(objectCategory=person)(mail= ))” -C
ok, so I thought it was my lack of quoting and tried:
ADFIND -H MYSERVER -DEFAULT -F “(&(objectCategory=person)(mail=’ ‘))” -C
Since it’s command line I was sure that the quoting would encapsulate it correctly, so I figure it is being stripped out by the LDAP query (I made this same Query ins ADSIedit and LDP with no luck) so perhaps there is an escape character for such a thing. I have done many queries with filters like “description=The Man”, and the space was interpreted correctly. Yet it seems, a single space, by itself is not passed to the query correctly.
So I check out the uber friendly RFCs and find escape characters for types such as * and NUL, but really no mention of a single space as anything special. I checked the LDAP V3 RFC as well for any real mention of when and when a single space is dropped from the query, finding nothing related.
Fortunately, using the escaped sequence in the query (“mail=20”) to represent a space worked just fine and returned the object I was looking for.
ADFIND -H MYSERVER -DEFAULT -F “(&(objectCategory=person)(mail=20))” -C
So LDAP filters can container spaces as the value being queried for, but cannot be a single space without using an escape sequence to represent the value.
I suppose it’s kind of silly, but I had never really looked for such an occurrence before, so it was an interesting learning experience.
I posted this question on the ActiveDir.Org Mailing list, and Joe answered me explaining that Filters are basically trimmed of leading and trailing whitespace by the LDAP API. In fact the space isn’t even sent to the server as the query. This was not mentioned in the RFC however. I’ll post the message link once it shows up in the Archive.
Original mailing list posts can be found here: