https://bugs.openldap.org/show_bug.cgi?id=9402
--- Comment #2 from Vincent Danjean vdanjean.ml@free.fr --- Hi,
It is very difficult to find documentation about dnSubtreeMatch. Based on what I read and try, it seems to allows one to match an entire subtree (i.e. all entries below a specific dn).
I do not see how it relates to LDAP_MATCHING_RULE_IN_CHAIN but I would be very pleased to be wrong.
My ldap database has nested groups. Here is a very small example: ldapsearch [options] '(|(uid=mylogin)(cn=g-mygroup)(cn=mymachine))' cn uid member memberof [...] # mylogin, people, Home, example.org dn: uid=mylogin,ou=people,ou=Home,dc=example,dc=org cn: My Login uid: mylogin memberOf: cn=mylogin,ou=groups,ou=Home,dc=example,dc=org memberOf: cn=g-mygroup,ou=groups,ou=UsersGroups,ou=ControlAccess,dc=example,dc=org [...]
# g-mygroup, groups, UsersGroups, ControlAccess, example.org dn: cn=g-mygroup,ou=groups,ou=UsersGroups,ou=ControlAccess,dc=example,dc=org cn: g-mygroup member: uid=mylogin,ou=people,ou=Home,dc=example,dc=org memberOf: cn=mymachine,ou=groups,ou=Machines,ou=ControlAccess,dc=example,dc=org [...]
# mymachine, groups, Machines, ControlAccess, example.org dn: cn=mymachine,ou=groups,ou=Machines,ou=ControlAccess,dc=example,dc=org cn: mymachine member: cn=g-mygroup,ou=groups,ou=UsersGroups,ou=ControlAccess,dc=example,dc=org [...]
So mylogin is in group g-mygroup that itself is in group mymachine.
Selecting users that (transitively) are in mymachine could be done with LDAP_MATCHING_RULE_IN_CHAIN with: ldapsearch [options] '(&(uid=mylogin)(memberOf:1.2.840.113556.1.4.1941:=cn=mymachine,ou=groups,ou=Machines,ou=ControlAccess,dc=example,dc=org))'
And it will work *whatever the number of nested group there is* (there is probably a limit on the server).
Is it possible to do the same with dnSubtreeMatch?
I've read lots of question about managing nested groups with ldap. On internet, I only saw people telling about LDAP_MATCHING_RULE_IN_CHAIN when using MS software or people implementing the recursive research in software (ldap client side) when using openldap. If a solution based on dnSubtreeMatch exists, I would be very please (and also lots of other people).
Regards, Vincent