Hi,
Consider following simple dynlist config (v2.5.13):
groupOfURLs labeledURI uniqueMember+memberOf@groupOfUniqueNames
So for static groups we get a dynamic memberOf for each user that is a member of some static group, for example:
DN: cn=TouK,ou=TouK,ou=Group,dc=touk,dc=pl ... uniqueMember: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl
DN: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl ... memberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl
Now this works fine if we bind with a user and do a search. But if we do an anonymous search no memberOf is returned or searchable by. For example:
assume following ACLs at the top:
{0}to * by dn=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break {1}to dn.subtree=ou=People,dc=touk,dc=pl attrs=entry,entryUUID,memberOf,@toukAnonAccess by anonymous =scr by * break {2}to dn.subtree=ou=Group,dc=touk,dc=pl attrs=entry,@groupOfUniqueNames,@groupOfNames by anonymous =scr by * break ...
and the following search:
ldapsearch -x -H ldaps://ldap.touk.pl -s sub -b 'ou=Touki,ou=People,dc=touk,dc=pl' -o ldif-wrap=no -LLL -v memberOf entryUUID
we get the following results:
ldap_initialize( ldaps://ldap.touk.pl:636/??base ) filter: (objectclass=*) requesting: memberOf entryUUID dn: ou=Touki,ou=People,dc=touk,dc=pl entryUUID: 6be7e4f8-a800-103a-9fd7-3100241d53c2
dn: cn=Jan Gajl,ou=Touki,ou=People,dc=touk,dc=pl entryUUID: 6c39df1a-a800-103a-8089-3100241d53c2
Why is memberOf omitted with anonymous binds when search explicitly (or implicitly via +) requests it and acls grant required rights ? With explicit binds or EXTERNAL - memberOf is returned (and searchable) correctly.
Is there something else that is required for memberOf to work with anonymous binds ?