I want to query a domino ldap for persons not member in a special group. The group membership is for easier access mapped on dominoaccessgroups on the person record.
Special about dominoaccessgroups is that it's an operational attribute and has more occurrences in the record.
I tried the following query.
(&(objectClass=dominoPerson)(!(dominoAccessGroups=CN=not_in_this_group)))
but the person I want to excluse is still in the result.
Are operational attributes allowed in a query?
Must the equal sign be escaped?
Are the multiple occurrences of the attribute a problem?
Your syntax seems fine but AFAIK you can't use dominoAccessGroups attribute in search. It behaves like that this attribute does not exist for any entry.
Normally operational attributes can also be queried (e.g. displayName). However, if you look at the attribute description for dominoAccessGroups in the LDAP Schema database:
All groups to which an entry belongs for security. Read-only operational attribute (not allowed in filter)
I think it's because of how it works. Each time you request dominoAccessGroups (it's not being calculated if you don't specifically want it to be displayed), it calculates group membership recursively. Also it's not mapped by a domino field in contrast to other operational attributes and it cannot be found in Fulltext Index.