Hi,
Consider following simple dynlist config (v2.5.13):
groupOfURLs labeledURI uniqueMember+memberOf@groupOfUniqueNames
So for static groups we get a dynamic memberOf for each user that is a
member of some static group, for example:
DN: cn=TouK,ou=TouK,ou=Group,dc=touk,dc=pl
...
uniqueMember: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl
DN: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl
...
memberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl
Now this works fine if we bind with a user and do a search. But if we do
an anonymous search no memberOf is returned or searchable by. For example:
assume following ACLs at the top:
{0}to * by dn=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break
{1}to dn.subtree=ou=People,dc=touk,dc=pl
attrs=entry,entryUUID,memberOf,@toukAnonAccess by anonymous =scr by * break
{2}to dn.subtree=ou=Group,dc=touk,dc=pl
attrs=entry,@groupOfUniqueNames,@groupOfNames by anonymous =scr by * break
...
and the following search:
ldapsearch -x -H ldaps://ldap.touk.pl -s sub -b
'ou=Touki,ou=People,dc=touk,dc=pl' -o ldif-wrap=no -LLL -v memberOf
entryUUID
we get the following results:
ldap_initialize( ldaps://ldap.touk.pl:636/??base )
filter: (objectclass=*)
requesting: memberOf entryUUID
dn: ou=Touki,ou=People,dc=touk,dc=pl
entryUUID: 6be7e4f8-a800-103a-9fd7-3100241d53c2
dn: cn=Jan Gajl,ou=Touki,ou=People,dc=touk,dc=pl
entryUUID: 6c39df1a-a800-103a-8089-3100241d53c2
Why is memberOf omitted with anonymous binds when search explicitly (or
implicitly via +) requests it and acls grant required rights ? With
explicit binds or EXTERNAL - memberOf is returned (and searchable)
correctly.
Is there something else that is required for memberOf to work with
anonymous binds ?