https://bugs.openldap.org/show_bug.cgi?id=9779
Issue ID: 9779 Summary: dynlist Negation filter on memberOf attribute doesn't work Product: OpenLDAP Version: 2.5.5 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: mail@andrejro.de Target Milestone: ---
Setup is according to documentation of slapo-dynlist to replace the old memberOf overlay, which I only want to use for mapping static groupOfNames back on memberOf= attributes of members.
dynlist-attrset groupOfNames labeledURI member+memberOf@groupOfNames
If I now have:
dn: cn=test,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top cn: test member: uid=test,ou=People,dc=example,dc=com
dn: uid=test,ou=People,dc=example,dc=com objectClass: account objectClass: top cn: Test User uid: test
dn: uid=test2,ou=People,dc=example,dc=com objectClass: account objectClass: top cn: Test2 User uid: test2
I expect for a search filter '(memberOf=cn=test,ou=Group,dc=example,dc=com)' to return dn: "uid=test,ou=People,dc=example,dc=com" and for a search filter '(!(memberOf=cn=test,ou=Group,dc=eample,dc=com)' to return dn: "uid=test2,ou=People,dc=example,dc=com"
First operation with a positive search filter works, but I cannot get the second case to work, even when requesting the memberOf attribute explictly as return attribute.
https://bugs.openldap.org/show_bug.cgi?id=9779
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- I suggest testing with the patch in ITS#9747
https://bugs.openldap.org/show_bug.cgi?id=9779
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9747
https://bugs.openldap.org/show_bug.cgi?id=9779
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.10 Keywords|needs_review | Assignee|bugs@openldap.org |hyc@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9779
--- Comment #2 from mail@andrejro.de --- I just tested with the patch in ITS#9747. Weirdly enough negation only works on Groups with only one static member. Other matches in conjunction with AND and OR work fine. As soon as I add another member the filter (!(memberOf=cn=test,ou=Group,dc=eample,dc=com) returns nothing instead of all users excluding two who are in this group.
https://bugs.openldap.org/show_bug.cgi?id=9779
--- Comment #3 from Howard Chu hyc@openldap.org --- Have not reproduced the described behavior. Note that your filter '(!(memberOf=cn=test,ou=Group,dc=eample,dc=com)' is invalid as the parentheses are not balanced.
https://bugs.openldap.org/show_bug.cgi?id=9779
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #4 from Howard Chu hyc@openldap.org --- User error, typos in filter.
https://bugs.openldap.org/show_bug.cgi?id=9779
--- Comment #5 from mail@andrejro.de --- Created attachment 875 --> https://bugs.openldap.org/attachment.cgi?id=875&action=edit Dynlist negation test
https://bugs.openldap.org/show_bug.cgi?id=9779
--- Comment #6 from mail@andrejro.de --- Sorry for the typos in my comments here, as these were to illustrate my problem and I was not at the top of my game already while typing.
I just reproduced in the openldap test harness with a correct search filter, at least it seems correct to me. This search returns an empty set but it should return all members not in this Alumni Assoc Staff group, e.g "cn=Barbara Jensen" and more objects.
https://bugs.openldap.org/show_bug.cgi?id=9779
mail@andrejro.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #875 is|0 |1 obsolete| |
https://bugs.openldap.org/show_bug.cgi?id=9779
--- Comment #7 from mail@andrejro.de --- Created attachment 876 --> https://bugs.openldap.org/attachment.cgi?id=876&action=edit Dynlist negation test
Patch with fixed paths.
https://bugs.openldap.org/show_bug.cgi?id=9779
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|INVALID |--- Ever confirmed|0 |1 Status|RESOLVED |CONFIRMED
https://bugs.openldap.org/show_bug.cgi?id=9779
--- Comment #8 from Howard Chu hyc@openldap.org --- Thanks, that's clear. fixed here https://git.openldap.org/openldap/openldap/-/merge_requests/478 please test.
https://bugs.openldap.org/show_bug.cgi?id=9779
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |TEST
https://bugs.openldap.org/show_bug.cgi?id=9779
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED
--- Comment #9 from Quanah Gibson-Mount quanah@openldap.org --- head:
• e73cdc55 by Howard Chu at 2022-01-18T15:11:28+00:00 ITS#9779 slapo-dynlist: fix static group filter with multiple members
• efb05975 by Howard Chu at 2022-01-18T15:11:28+00:00 ITS#9779 add test for negated filtered memberof
re26:
• 456a41a6 by Howard Chu at 2022-01-18T23:04:59+00:00 ITS#9779 slapo-dynlist: fix static group filter with multiple members
• c66e686c by Howard Chu at 2022-01-18T23:05:04+00:00 ITS#9779 add test for negated filtered memberof
re25:
• af96c468 by Howard Chu at 2022-01-18T23:06:21+00:00 ITS#9779 slapo-dynlist: fix static group filter with multiple members
• 81ca4cca by Howard Chu at 2022-01-18T23:06:25+00:00 ITS#9779 add test for negated filtered memberof
https://bugs.openldap.org/show_bug.cgi?id=9779
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org