--On Monday, July 31, 2023 1:39 PM +0000 Carsten Jäckel carsten.jaeckel@tu-dortmund.de wrote:
Result of ldapsearch -x -W -D "cn=accessUser,dc=accessUsers,dc=example,dc=com" -b "dc=users,dc=example,dc=com" -s sub "(memberOf=cn=group1,dc=groups,dc=example,dc=com)" "entry objectclass uid cn displayName telephoneNumber ou mail memberOf entryDN" doesn't return any results alhough the group object contains members. We suppose that it has something to to with memberOf becoming some kind of 'virtual' attribute which may be only calculated when explicitly asked for. (Please correct this assumtion if it's incorrect.)
My question now is: what is the correct ACL configuration/filter statement to ask for a user's group memberships to achieve our goal in OpenLDAP 2.5?
You cannot filter on a dynamic memberOf attribute in an ACL. So it would require filtering on a non-virtual attribute in the user entries.
--Quanah