PingDirectory

Searching for soft deletes

Soft-deleted entries are excluded from normal LDAP searches because they represent deleted entries. The updated ldapsearch tool supports these types of searches.

About this task

There are three different ways to search for soft-deleted entries.

Steps

  • To perform a base-level search on a soft-deleted entry by distinguished name (DN), run the ldapsearch command and specify the base DN of the specific soft-deleted entry that you are searching for.

  • To filter your search by ds-soft-delete-entry object class, run a search for all soft-deleted entries with the ldapsearch command with a filter on the ds-soft-delete-entry object class.

  • To return soft-deleted entries, use the soft-delete-entry-access-control with the LDAP search.

    The ldapsearch tool provides a shortcut option, --includeSoftDeletedEntries, that sends the control to the server for processing. The control allows for the following search possibilities:

    • Return only soft-deleted entries.

    • Return non-deleted entries along with soft-deleted entries.

    • Return only soft-deleted entries in undeleted form.

Running a base-level search on a soft-deleted entry

Use the command line to run a base-level search on a soft-deleted entry.

Steps

  • Run the ldapsearch command using the base distinguished name (DN) of the specified soft-deleted entry.

    Example:

    $ bin/ldapsearch \
  --baseDN entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=example,dc=com \
  --searchScope base "(objectClass=*)"

    Result:

    # Soft-deleted entry DN:
# entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=example,dc=com
dn: entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: ds-soft-delete-entry
postalAddress: Aartjan Aalders$59748 Willow Street$Green Bay, TN 66239
postalCode: 66239
description: This is the description for Aartjan Aalders.
uid: user.1
userPassword: {SSHA}RdBCwQ2kIw57LukRthjrFBS/oFylJARnmTnorA==
employeeNumber: 1
initials: AKA
givenName: Aartjan
pager: +1 197 025 3730
mobile: +1 890 430 9077
cn: Aartjan Aalders
sn: Aalders
telephoneNumber: +1 094 100 7524
street: 59748 Willow Street
homePhone: +1 332 432 4295
l: Green Bay
mail: user.3@maildomain.net
st: TN

Running a filtered search by soft-delete-entry object class

Retrieve all soft-deleted entries using the ds-soft-delete-entry object class.

Steps

  • Run the ldapsearch command to retrieve all soft-deleted entries using the ds-soft-delete-entry object class.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com \
  "(objectclass=ds-soft-delete-entry)"

Running a search using the soft delete entry access control

The following examples use the --includeSoftDeleteEntries \{with-non-deleted-entries \| without-non-deleted-entries \| deleted-entries-in-undeleted-form} option, which uses the soft delete entry access control.

About this task

You can use the --control option with the soft delete entry access control symbolic name, softdeleteentryaccess, or the --control option with the actual soft delete entry access control OID, 1.3.6.1.4.1.30221.2.5.24.

Steps

  1. To return only soft-deleted entries, run ldapsearch using the --includeSoftDeletedEntries option with the value of without-non-deleted-entries.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com \
  --includeSoftDeletedEntries without-non-deleted-entries \
  --searchScope sub "(objectclass=*)"

  2. To return non-deleted entries along with soft-deleted entries, run ldapsearch using the --includeSoftDeletedEntries option with the value of with-non-deleted-entries.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com \
  --includeSoftDeletedEntries with-non-deleted-entries \
  --searchScope sub "(objectclass=*)"

  3. To return only soft-deleted entries in undeleted form, run ldapsearch using the --includeSoftDeletedEntries option with the value of deleted-entries-in-undeleted-form.

    Some applications require access to all entries in the server, including both active and soft-deleted entries.

    Example:

    The following command returns all entries that were soft-deleted but presents it in a form that is similar to a regular entry with the soft-delete DN in comments. This regular entry format does not show the actual soft-deleted DN but displays it in an "undeleted" form even though it is not actually "undeleted". The object class, ds-soft-delete-entry, is also not displayed.

    $ bin/ldapsearch --baseDN dc=example,dc=com \
  --includeSoftDeletedEntries deleted-entries-in-undeleted-form \
  --searchScope sub "(ds-soft-delete-from-dn=*)"

# Soft-deleted entry DN:
# entryUUID=2b5511e2-7616-389b-ab0c-025c805ad32c+uid=user.14,ou=People,dc=exam-
ple,dc=com
dn: uid=user.14,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
postalAddress: Abdalla Abdou$78929 Hillcrest Street$Elmira, ME 93080
postalCode: 93080
description: This is the description for Abdalla Abdou.
uid: user.14
userPassword: {SSHA}7GkzWiMiU12m5m+xBV+ZsoX3gVacMcRtSwDTFg==
employeeNumber: 14
initials: AFA
givenName: Abdalla
pager: +1 307 591 4870
mobile: +1 401 069 1289
cn: Abdalla Abdou
sn: Abdou
telephoneNumber: +1 030 505 6190
street: 78929 Hillcrest Street
homePhone: +1 119 487 2328
l: Elmira
mail: user.14@maildomain.net
st: ME