Searching for uids less than 1000 and gt 500... Net::LDAP=HASH(0x22d4e
+e0) sending:
0000   82: SEQUENCE {
0002    1:   INTEGER = 2
0005   77:   [APPLICATION 3] {
0007   39:     STRING = 'ou=slurm,dc=lomonosov,dc=parallel,dc=ru'
0030    1:     ENUM = 2
0033    1:     ENUM = 2
0036    1:     INTEGER = 0
0039    1:     INTEGER = 0
003C    1:     BOOLEAN = FALSE
003F   17:     [CONTEXT 6] {
0041    9:       STRING = 'uidNumber'
004C    4:       STRING = '1000'
0052     :     }
0052    0:     SEQUENCE {
0054     :     }
0054     :   }
0054     : }
Net::LDAP=HASH(0x22d4ee0) received:
0000   12: SEQUENCE {
0002    1:   INTEGER = 2
0005    7:   [APPLICATION 5] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
Ok
Found:
[download]

        LDAPMessage ::= SEQUENCE {
             messageID       MessageID,
             protocolOp      CHOICE {
                  bindRequest           BindRequest,
                  bindResponse          BindResponse,
                  unbindRequest         UnbindRequest,
                  searchRequest         SearchRequest,
                  searchResEntry        SearchResultEntry,
                  searchResDone         SearchResultDone,
[...]
        SearchRequest ::= [APPLICATION 3] SEQUENCE {
             baseObject      LDAPDN,
             scope           ENUMERATED {
                  baseObject              (0),
                  singleLevel             (1),
                  wholeSubtree            (2),
                  ...  },
             derefAliases    ENUMERATED {
                  neverDerefAliases       (0),
                  derefInSearching        (1),
                  derefFindingBaseObj     (2),
                  derefAlways             (3) },
             sizeLimit       INTEGER (0 ..  maxInt),
             timeLimit       INTEGER (0 ..  maxInt),
             typesOnly       BOOLEAN,
             filter          Filter,
             attributes      AttributeSelection }
[...]
        Filter ::= CHOICE {
[...]
             greaterOrEqual  [5] AttributeValueAssertion,
             lessOrEqual     [6] AttributeValueAssertion,
[...]
        AttributeValueAssertion ::= SEQUENCE {
             attributeDesc   AttributeDescription,
             assertionValue  AssertionValue }

        AttributeDescription ::= LDAPString
                                -- Constrained to <attributedescriptio
+n>
                                -- [RFC4512]

        AssertionValue ::= OCTET STRING
[download]

What was the issue? Inquiring minds want to know. Adding information as to the source of the problem, solutions tried, and one that actually worked will help those who come after you.

--MidLifeXis

1. My assumption that 'ldapsearch' utility gives me the right result was wrong. According to rfc4515 there is no '>' or '<' comparators - at all. Thus, ldapsearch utility forms request with filter 'objectclass=*', which gives me all the entries in the given basedn. As I have almost all the entries with uidNumber in between 500 and 1000, I misunderstood the result.

I got this fact only with wireshark's help - yes, I did tcpdump on request to find it. If 'ldapsearch' can't recognize given filter, it silently forms the filter 'present, objectClass' and treating original user's filter as attribute name to search.

2. The server actually can't answer that kind of requests; to do this, you need to modify ldap schema and define attribute with proper ordering rules. The most helpful piece of text can be found here.

Net::LDAP::Gateway contains a sample LDAP server that can dump the packets it receives as almost-human-friendly Perl data structures. It has served me in the past to compare and validate requests made through Net::LDAP and ldapsearch and solve problems as the one you were facing.