Hi Quanah,
Quanah Gibson-Mount wrote:
This is how filters work in LDAP. It sounds to me like things are working correctly. I.e., if I search for "objectClass=joe" objectClass, it will return every entry that has an objectClass value of joe, and all the values for objectClass.
If I search for "(member=uid=user1,ou=users,dc=example,dc=com)", it will return to me every group that has a member attribute matching that value.
I see nothing wrong in the behavior here, just in the understanding of how filters work. Let me know if you have further questions.
To expand on this a little bit more:
LDAP filters are used to limit the number of entries returned. They do not limit attr=value pairs.
Generally, with groups, the most common operation is the ldapcompare operation. It lets you "ask" whether or not a given value is assigned to an attribute in a specific entry.
I.e., I can ask "Is uid=user1,ou=users,dc=example,dc=com a value for the member attribute in the group cn=testgroup ou=Groups,dc=example,dc=com" using the ldapcompare operation. It will answer one of three ways: TRUE, FALSE, or UNDEFINED.
Ah, your responses have been most helpful, thank you! The ldapcompare operation might actually satisfy the end-goals I was hoping to achieve by returning the dn or uid explicitly. Cheers!
Respectfully, Ryan